Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,358)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-11084 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
CVE-2017-18903 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
CVE-2020-8167 2Debian Rubyonrails 2Debian Linux Rails Jun 17, 2026 Jun 19, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVE-2019-20865 1Mattermost 1Mattermost Server Jun 17, 2026 Jun 19, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
CVE-2019-20841 1Mattermost 1Mattermost Server Jun 17, 2026 Jun 19, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
CVE-2020-14432 1Netgear 12Rbk752 Firmware Rbk753 FirmwareRbk753s Firmware+9 more Jun 17, 2026 Jun 18, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Certain NETGEAR devices are affected by CSRF. This affects RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 bef...Show more Certain NETGEAR devices are affected by CSRF. This affects RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, RBS840 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.Show less
CVE-2020-7503 1Schneider Electric 1Easergy T300 Firmware Jun 17, 2026 Jun 16, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to execute malicious commands on behalf of a legitimate user when xsrf-to...Show more A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to execute malicious commands on behalf of a legitimate user when xsrf-token data is intercepted.Show less
CVE-2019-19109 1Gvectors 1Wpforo Jun 17, 2026 Jun 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=wpforo-usergroups CSRF.
CVE-2020-4040 1Boltcms 1Bolt Jun 17, 2026 Jun 8, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content i...Show more Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1Show less
CVE-2020-9042 1Couchbase 1Couchbase Server Jun 17, 2026 Jun 8, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.
CVE-2020-13868 1Verbb 1Comments Jun 17, 2026 Jun 5, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
CVE-2020-11682 1Castel 1Nextgen Dvr Firmware Jun 17, 2026 Jun 4, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified...Show more Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request will succeed.Show less
CVE-2020-13786 1Dlink 1Dir 865l Firmware Jun 17, 2026 Jun 3, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.
CVE-2020-2196 1Jenkins 1Selenium Jun 17, 2026 Jun 3, 2020 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
CVE-2020-2192 1Jenkins 1Self Organizing Swarm Modules Jun 17, 2026 Jun 3, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.
CVE-2020-13760 1Joomla 1Joomla Jun 17, 2026 Jun 2, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2014-8942 1Piwigo 1Lexiglot Nov 21, 2024 Jun 1, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Lexiglot through 2014-11-20 allows CSRF.
CVE-2020-4018 1Atlassian 2Crucible Fisheye Jun 17, 2026 Jun 1, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability.
CVE-2020-13643 1Siteorigin 1Page Builder Jun 17, 2026 May 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The...Show more An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.Show less
CVE-2020-13642 1Siteorigin 1Page Builder Jun 17, 2026 May 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an admini...Show more An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.Show less

Previous 1...330331332...468 Next