Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-16513 1Connectwise 1Control Jun 17, 2026 Jan 23, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests.
CVE-2020-7210 1Umbraco 1Umbraco Cms Jun 17, 2026 Jan 23, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
CVE-2011-3612 1Usebb 1Usebb Nov 21, 2024 Jan 22, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.
CVE-2011-3582 1Anelectron 1Advanced Electron Forums Nov 21, 2024 Jan 22, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions.
CVE-2020-6849 1Hutchhouse 1Marketo Forms And Tracking Jun 17, 2026 Jan 21, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allows wp-admin/admin.php?page=marketo_fat CSRF with resultant XSS.
CVE-2019-3864 1Redhat 1Quay Jun 17, 2026 Jan 21, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or...Show more A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account.Show less
CVE-2020-5397 2Oracle Vmware 27Application Testing Suite Communications Brm Elastic Charging EngineCommunications Diameter Signaling Router+24 more Jun 17, 2026 Jan 17, 2020 N/A· v4 5.3 MEDIUM· v3 2.6 LOW· v2 Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-a...Show more Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.Show less
CVE-2019-19854 1Serpico Project 1Serpico Jun 17, 2026 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is...Show more An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator.Show less
CVE-2019-18271 1Osisoft 1Pi Vision Jun 17, 2026 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.
CVE-2020-2098 1Jenkins 1Sounds Jun 17, 2026 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.
CVE-2020-2093 1Jenkins 1Health Advisor By Cloudbees Jun 17, 2026 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
CVE-2020-2090 1Jenkins 1Amazon Ec2 Jun 17, 2026 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained th...Show more A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.Show less
CVE-2020-5502 1Phpbb 1Phpbb Jun 17, 2026 Jan 15, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships.
CVE-2020-5501 1Phpbb 1Phpbb Jun 17, 2026 Jan 15, 2020 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 phpBB 3.2.8 allows a CSRF attack that can modify a group avatar.
CVE-2011-2934 1Websitebaker 1Websitebaker Nov 21, 2024 Jan 14, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions.
CVE-2014-9382 1Free 1Freebox Os Nov 21, 2024 Jan 13, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation
CVE-2019-14304 1Ricoh 52M 2700 Firmware M 2701 FirmwareM C250fw Firmware+49 more Jun 17, 2026 Jan 10, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Ricoh SP C250DN 1.06 devices allow CSRF.
CVE-2019-20178 1Peel 1Peel Shopping Jun 17, 2026 Jan 9, 2020 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user.
CVE-2019-6319 1Hp 8Deskjet 3630 F5s43a Firmware Deskjet 3630 F5s57a FirmwareDeskjet 3630 K4t93a Firmware+5 more Jun 17, 2026 Jan 9, 2020 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that coul...Show more HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that could lead to a denial of service (DOS) or device misconfiguration.Show less
CVE-2020-6167 1Webfactoryltd 1Minimal Coming Soon & Maintenance Mode Jun 17, 2026 Jan 9, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo.

Previous 1...340341342...468 Next