Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-20401 1Atlassian 1Jira Server Jun 17, 2026 Feb 6, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.
CVE-2011-0525 1Batavi 1Batavi Nov 21, 2024 Feb 5, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Batavi before 1.0 has CSRF.
CVE-2019-4613 1Ibm 1Planning Analytics Jun 17, 2026 Feb 5, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 168524.
CVE-2020-8615 1Themeum 1Tutor Lms Jun 17, 2026 Feb 4, 2020 N/A· v4 6.5 MEDIUM· v3 2.6 LOW· v2 A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
CVE-2019-10784 1Phppgadmin Project 1Phppgadmin Jun 17, 2026 Feb 4, 2020 N/A· v4 9.6 CRITICAL· v3 9.3 HIGH· v2 phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This ca...Show more phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the server.Show less
CVE-2013-7053 1Dlink 1Dir 100 Firmware Nov 21, 2024 Feb 4, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 D-Link DIR-100 4.03B07: cli.cgi CSRF
CVE-2020-8505 1Arox 1School Management Software Php/mysql Jun 17, 2026 Jan 31, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user.
CVE-2020-8504 1Arox 1School Management Software Php/mysql Jun 17, 2026 Jan 31, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
CVE-2019-7654 1Wowza 1Streaming Engine Jun 17, 2026 Jan 29, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via e...Show more Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.Show less
CVE-2020-7965 1Webargs Project 1Webargs Jun 17, 2026 Jan 29, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is appli...Show more flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.Show less
CVE-2020-8425 1Cups Easy (purchase & Inventory) Project 1Cups Easy (purchase & Inventory) Jun 17, 2026 Jan 28, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php.
CVE-2020-8424 1Cups Easy Project 1Cups Easy Jun 17, 2026 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php.
CVE-2020-8420 1Joomla 1Joomla Jun 17, 2026 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
CVE-2020-8419 1Joomla 1Joomla Jun 17, 2026 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.
CVE-2020-8417 1Codesnippets 1Code Snippets Jun 17, 2026 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.
CVE-2013-3093 1Asus 7Dsl N55u Firmware Rt Ac66u FirmwareRt N10u Firmware+4 more Nov 21, 2024 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 ASUS RT-N56U devices allow CSRF.
CVE-2015-5483 1Private Only Project 1Private Only Nov 21, 2024 Jan 28, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php.Show less
CVE-2013-4865 1Micasaverde 1Veralite Firmware Nov 21, 2024 Jan 28, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware...Show more Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter.Show less
CVE-2020-7991 1Adive 1Framework Jun 17, 2026 Jan 26, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2014-2050 1Owncloud 2Owncloud Owncloud Server Mar 31, 2025 Jan 23, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP H...Show more Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.Show less

Previous 1...339340341...468 Next