Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-0398 1Sap 1Businessobjects Business Intelligence Platform Jun 17, 2026 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web...Show more Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.Show less
CVE-2014-0026 1Redhat 1Subscription Asset Manager Nov 21, 2024 Dec 11, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 katello-headpin is vulnerable to CSRF in REST API
CVE-2019-4095 1Ibm 1Cloud Pak System Jun 17, 2026 Dec 10, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
CVE-2019-19685 1Nopcommerce 1Nopcommerce Jun 17, 2026 Dec 9, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
CVE-2019-16752 3Dash OfficialdapscoinPivx 3Dash Core Decentralized Anonymous Payment SystemPrivate Instant Verified Transactions Jun 17, 2026 Dec 4, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. Th...Show more An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0.Show less
CVE-2019-18346 1Davical 1Davical Jun 17, 2026 Dec 4, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked u...Show more A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.Show less
CVE-2019-19516 1Intelbras 1Wrn 150 Firmware Jun 17, 2026 Dec 2, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp to the goform/SysToolChangePwd URI to change a password.
CVE-2019-19469 1Zmanda 1Amanda Jun 17, 2026 Dec 1, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials.
CVE-2019-19375 1Octopus 1Octopus Deploy Jun 17, 2026 Nov 28, 2019 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019...Show more In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)Show less
CVE-2019-17590 1Csrf Magic Project 1Csrf Magic Jun 17, 2026 Nov 26, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a mali...Show more The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. Once the user/victim clicks the "try again" button, the attacker can take over the account and perform unintended actions on the victim's behalf. NOTE: A third-party maintainer has stated that this CVE is a false report. They state that the csrf_callback function is actually a callback function to the callers own handler for output. The function called can be changed via configuration to a custom callback to handle failed validation differently. They also stated that there is no way for an attacker to change tokens to make them valid from the client side. The only thing an attack can do is to pull the token out of the javascript, but that will always be possible and has nothing to do with the callbackShow less
CVE-2019-18677 3Canonical FedoraprojectSquid Cache 3Fedora SquidUbuntu Linux Jun 17, 2026 Nov 26, 2019 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message proce...Show more An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.Show less
CVE-2019-16002 1Cisco 1Sd Wan Firmware Jun 17, 2026 Nov 26, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerabi...Show more A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected instance of vManage. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.Show less
CVE-2011-3609 1Redhat 1Jboss Application Server Nov 21, 2024 Nov 26, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag)...Show more A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.Show less
CVE-2013-6811 1D Link 1Dsl6740u Firmware Nov 21, 2024 Nov 22, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credential...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding, (2) Port Triggering Entries, (3) URL Filters in Parental Control, (4) Print Server settings, (5) QoS Queue Setup, or (6) QoS Classification Entries.Show less
CVE-2019-19013 1Pagekit 1Pagekit Jun 17, 2026 Nov 22, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request.
CVE-2012-2079 1Drupal 1Activity Nov 21, 2024 Nov 22, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2015-3140 1Synametrics 3Synaman SyncrifySyntail Nov 21, 2024 Nov 21, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567
CVE-2013-3312 1Loftek 1Nexus 543 Firmware Nov 21, 2024 Nov 21, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewa...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi.Show less
CVE-2019-16548 1Jenkins 1Google Compute Engine Jun 17, 2026 Nov 21, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents.
CVE-2011-4952 1Cobblerd 1Cobbler Nov 21, 2024 Nov 19, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 cobbler: Web interface lacks CSRF protection when using Django framework

Previous 1...343344345...468 Next