Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-35615 1Joomla 1Joomla Jun 17, 2026 Dec 28, 2020 N/A· v4 6.3 MEDIUM· v3 6.8 MEDIUM· v2 An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
CVE-2020-26033 1Zammad 1Zammad Jun 17, 2026 Dec 28, 2020 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
CVE-2020-35347 1Cxuu 1Cxuucms Jun 17, 2026 Dec 26, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add.
CVE-2020-26766 1User Registration & Login And User Management System With Admin Panel Project 1User Registration & Login And User Management System With Admin Panel Jun 17, 2026 Dec 26, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1.
CVE-2020-35677 1Bigprof 1Online Invoicing System Jun 17, 2026 Dec 24, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is th...Show more BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection.Show less
CVE-2020-35269 1Nagios 1Nagios Core Jun 17, 2026 Dec 23, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers.
CVE-2020-35626 1Mediawiki 1Mediawiki Jun 17, 2026 Dec 21, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLink...Show more An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.Show less
CVE-2020-35273 1Egavilanmedia 1User Registration & Login System With Admin Panel Jun 17, 2026 Dec 21, 2020 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account.
CVE-2020-7201 1Hp 2Storeever 1/8 G2 Tape Autoloader Firmware Storeever Msl2024 Firmware Jun 17, 2026 Dec 18, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A potential security vulnerability has been identified in the HPE StoreEver MSL2024 Tape Library and HPE StoreEver 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to allow Cross-site Request Forger...Show more A potential security vulnerability has been identified in the HPE StoreEver MSL2024 Tape Library and HPE StoreEver 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to allow Cross-site Request Forgery (CSRF).Show less
CVE-2020-4764 1Ibm 1Planning Analytics Jun 17, 2026 Dec 18, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 188898.
CVE-2020-13527 1Lantronix 2Sgx Firmware Xport Edge Firmware Jun 17, 2026 Dec 18, 2020 N/A· v4 4.5 MEDIUM· v3 3.5 LOW· v2 An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An...Show more An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2020-8465 1Trendmicro 1Interscan Web Security Virtual Appliance Jun 17, 2026 Dec 17, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-...Show more A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.Show less
CVE-2020-8461 1Trendmicro 1Interscan Web Security Virtual Appliance Jun 17, 2026 Dec 17, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CS...Show more A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CSRF token.Show less
CVE-2020-25095 1Logrhythm 1Platform Manager Jun 17, 2026 Dec 17, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perfo...Show more LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.Show less
CVE-2020-4904 1Ibm 1Financial Transaction Manager For Multiplatform Jun 17, 2026 Dec 16, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a use...Show more IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.Show less
CVE-2020-28931 1Epson 1Eps Tse Server 8 Firmware Jun 17, 2026 Dec 16, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious...Show more Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website.Show less
CVE-2019-14481 1Adremsoft 1Netcrunch Jun 17, 2026 Dec 16, 2020 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover.
CVE-2020-25622 1Solarwinds 1N Central Jun 17, 2026 Dec 16, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF.
CVE-2020-14368 1Eclipse 1Che Jun 17, 2026 Dec 14, 2020 N/A· v4 7.1 HIGH· v3 4.6 MEDIUM· v2 A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request...Show more A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.Show less
CVE-2019-19289 1Siemens 1Xhq Jun 17, 2026 Dec 14, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link.

Previous 1...322323324...468 Next