Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,358)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-10986 1Tenda 1Ac15 Firmware Jun 17, 2026 Jul 13, 2020 N/A· v4 6.5 MEDIUM· v3 7.1 HIGH· v2 A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page...Show more A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.Show less
CVE-2020-15600 1Cmsuno Project 1Cmsuno Jun 17, 2026 Jul 7, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15516 1Mm Forum Project 1Mm Forum Jun 17, 2026 Jul 7, 2020 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF.
CVE-2020-8166 2Debian Rubyonrails 2Debian Linux Rails Jun 17, 2026 Jul 2, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF t...Show more A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.Show less
CVE-2020-2215 1Jenkins 1Zephyr For Jira Test Management Jun 17, 2026 Jul 2, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password...Show more A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.Show less
CVE-2020-2203 1Jenkins 1Fortify On Demand Jun 17, 2026 Jul 2, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
CVE-2020-5904 1F5 11Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+8 more Jun 17, 2026 Jul 1, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configurat...Show more In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, exists in an undisclosed page.Show less
CVE-2020-5900 1F5 1Nginx Controller Jun 17, 2026 Jul 1, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface.
CVE-2020-15400 1Cakefoundation 1Cakephp Jun 17, 2026 Jun 30, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
CVE-2019-20415 1Atlassian 4Jira Jira Data CenterJira Server+1 more Jun 17, 2026 Jun 30, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version...Show more Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.Show less
CVE-2020-15043 1Iball 1Wrb303n Firmware Jun 17, 2026 Jun 29, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling remote management, enabling DHCP, or modifying the subnet range for IP addresses.
CVE-2019-20411 1Atlassian 3Jira Jira Data CenterJira Server Jun 17, 2026 Jun 29, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and f...Show more Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.Show less
CVE-2020-15046 1Supermicro 2X10drh It Bios X10drh It Firmware Jun 17, 2026 Jun 24, 2020 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 an...Show more The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88.Show less
CVE-2020-15014 1Pramod 1Blogcms Jun 17, 2026 Jun 24, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 pramodmahato BlogCMS through 2019-12-31 has admin/changepass.php CSRF.
CVE-2020-13157 1Nukeviet 1Nukeviet Jun 17, 2026 Jun 23, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.
CVE-2020-13156 1Nukeviet 1Nukeviet Jun 17, 2026 Jun 23, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
CVE-2020-13155 1Nukeviet 1Nukeviet Jun 17, 2026 Jun 23, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.
CVE-2020-13426 1Bdtask 1Multi Scheduler Jun 17, 2026 Jun 22, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.
CVE-2020-14203 1Ibi 1Webfocus Business Intelligence Jun 17, 2026 Jun 22, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request Forgery (CSRF) attack against administrative users within the /ibi_apps/WFServlet(.ibfs) endpoint. The impact may be creation of an administrative user...Show more WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request Forgery (CSRF) attack against administrative users within the /ibi_apps/WFServlet(.ibfs) endpoint. The impact may be creation of an administrative user. It can also be exploited in conjunction with CVE-2016-9044.Show less
CVE-2019-20891 1Woocommerce 1Woocommerce Jun 17, 2026 Jun 19, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer...Show more WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.Show less

Previous 1...329330331...468 Next