Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-23522 1Pixelimity 1Pixelimity Jun 17, 2026 Jan 19, 2021 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.
CVE-2020-6776 1Bosch 2Praesensa Firmware Praesideo Firmware Jun 17, 2026 Jan 14, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions...Show more A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface.Show less
CVE-2020-35687 1Php Fusion 1Phpfusion Jun 17, 2026 Jan 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
CVE-2020-36191 1Jupyter 1Jupyterhub Jun 17, 2026 Jan 13, 2021 N/A· v4 4.5 MEDIUM· v3 3.5 LOW· v2 JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
CVE-2021-3133 1Sean Barton 1Elementor Contact Form Db Jun 17, 2026 Jan 12, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.
CVE-2021-21241 1Flask Security Too Project 1Flask Security Too Jun 17, 2026 Jan 11, 2021 N/A· v4 7.4 HIGH· v3 4.3 MEDIUM· v2 The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Fl...Show more The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.Show less
CVE-2020-23631 1Wdja 1Wdja Cms Jun 17, 2026 Jan 11, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter.
CVE-2020-23960 1Fork Cms 1Fork Cms Jun 17, 2026 Jan 11, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.Show less
CVE-2020-35722 1Quest 1Policy Authority For Unified Communications Jun 17, 2026 Jan 11, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affect...Show more CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainerShow less
CVE-2020-25950 1Totalonlinesolutions 1Advanced Webhost Billing System Jun 17, 2026 Jan 8, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page.
CVE-2020-36174 1Ninjaforms 1Ninja Forms Jun 17, 2026 Jan 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
CVE-2020-7336 1Mcafee 1Network Security Management Jun 17, 2026 Jan 5, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via...Show more Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via a carefully crafted HTTP request.Show less
CVE-2020-4942 1Ibm 1Curam Social Program Management Jun 17, 2026 Jan 4, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts...Show more IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942.Show less
CVE-2020-4917 1Ibm 1Cloud Pak System Jun 17, 2026 Jan 4, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391.
CVE-2021-21495 1Mk Auth 1Mk Auth Jun 17, 2026 Jan 4, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.
CVE-2020-35950 1Xcloner 1Xcloner Jun 17, 2026 Jan 1, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).
CVE-2020-35944 1Pagelayer 1Pagelayer Jun 17, 2026 Jan 1, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
CVE-2018-16795 1Open Emr 1Openemr Nov 21, 2024 Dec 31, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.
CVE-2020-35778 1Netgear 2Gs716t Firmware Gs724t Firmware Jun 17, 2026 Dec 30, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
CVE-2020-35773 1Freehtmldesigns 1Site Offline Jun 17, 2026 Dec 29, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

Previous 1...321322323...468 Next