Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-35942 1Imagely 1Nextgen Gallery Jun 17, 2026 Feb 9, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is p...Show more A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)Show less
CVE-2020-13460 1Tufin 1Securetrack Jun 17, 2026 Feb 9, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were present in Tufin SecureTrack, affecting all versions prior to R20-2 GA.
CVE-2021-22500 1Microfocus 1Application Performance Management Jun 17, 2026 Feb 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executi...Show more Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executing actions of the attacker's choosing.Show less
CVE-2021-20652 1Name Directory Project 1Name Directory Jun 17, 2026 Feb 5, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-4827 1Ibm 1Api Connect Jun 17, 2026 Feb 4, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user...Show more IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 189841.Show less
CVE-2020-4826 1Ibm 1Api Connect Jun 17, 2026 Feb 4, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user...Show more IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 189840.Show less
CVE-2020-9388 1Squaredup 1Squaredup Jun 17, 2026 Feb 3, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a m...Show more CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.Show less
CVE-2021-25765 1Jetbrains 1Youtrack Jun 17, 2026 Feb 3, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
CVE-2020-24271 1Easycms 1Easycms Jun 17, 2026 Feb 1, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=*&password=*.
CVE-2020-29004 1Mediawiki 1Mediawiki Jun 17, 2026 Jan 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
CVE-2020-28403 1Iris 1Star Jun 17, 2026 Jan 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application.Show less
CVE-2020-13569 1Open Emr 1Openemr Jun 17, 2026 Jan 28, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to t...Show more A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2021-20621 1Aterm 2Wg2600hp2 Firmware Wg2600hp Firmware Jun 17, 2026 Jan 28, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators vi...Show more Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.Show less
CVE-2020-35239 1Cakephp 1Cakephp Jun 17, 2026 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string th...Show more A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.Show less
CVE-2021-21275 2Oracle Report Project 3Communications Cloud Native Core Network Slice Selection Function Communications Pricing Design CenterReport Jun 17, 2026 Jan 25, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forge...Show more The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.Show less
CVE-2020-12511 1Pepperl Fuchs 12Io Link Master 4 Eip Firmware Io Link Master 4 Pnio FirmwareIo Link Master 8 Eip L Firmware+9 more Jun 17, 2026 Jan 22, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.
CVE-2021-1257 2Cisco Mcafee 2Agent Catalyst Center Jun 17, 2026 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user...Show more A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.Show less
CVE-2020-28452 1Softwaremill 1Akka Http Session Jun 17, 2026 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.1...Show more This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.Show less
CVE-2020-35217 1Eclipse 1Vert.x Web Jun 17, 2026 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against...Show more Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.Show less
CVE-2020-23342 1Anchorcms 1Anchor Cms Jun 17, 2026 Jan 19, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.

Previous 1...320321322...468 Next