Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-10441 1Jenkins 1Icescrum Jun 17, 2026 Oct 16, 2019 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2019-10437 1Jenkins 1Crx Content Package Deployer Jun 17, 2026 Oct 16, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained thro...Show more A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.Show less
CVE-2016-11015 1Netgear 1Jnr1010 Firmware Nov 21, 2024 Oct 16, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter.
CVE-2019-17600 1Intelbras 1Iwr 1000n Firmware Jun 17, 2026 Oct 15, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled.
CVE-2019-17593 1Jizhicms 1Jizhicms Jun 17, 2026 Oct 14, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17521 1Landing Cms Project 1Landing Cms Jun 17, 2026 Oct 12, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Landing-CMS 0.0.6. There is a CSRF vulnerability that can change the admin's password via the password/ URI,
CVE-2018-20582 1Gree 1Gree Nov 21, 2024 Oct 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The GREE+ (aka com.gree.greeplus) application 1.4.0.8 for Android suffers from Cross Site Request Forgery.
CVE-2019-17495 2Oracle Smartbear 6Banking Apis Banking Digital ExperienceBanking Platform+3 more Jun 17, 2026 Oct 10, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltr...Show more A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.Show less
CVE-2019-17386 1Eleopard 1Animate It! Jun 17, 2026 Oct 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php.
CVE-2019-17432 1Fastadmin 1Fastadmin Jun 17, 2026 Oct 10, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row[name] parameter.
CVE-2019-17431 1Fastadmin 1Fastadmin Jun 17, 2026 Oct 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability.
CVE-2019-13529 1Sma 1Sunny Webbox Firmware Jun 17, 2026 Oct 9, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device u...Show more An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.Show less
CVE-2019-17369 1Otcms 1Otcms Jun 17, 2026 Oct 9, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin.
CVE-2015-9455 1Incsub 1Buddypress Activity Plus Nov 21, 2024 Oct 7, 2019 N/A· v4 8.1 HIGH· v3 7.8 HIGH· v2 The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action.
CVE-2019-17217 1Vzug 1Combi Stream Mslq Firmware Jun 17, 2026 Oct 6, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no CSRF protection established on the web service.
CVE-2019-1915 1Cisco 3Unified Communications Manager Unified Communications Manager Im And Presence ServiceUnity Connection Jun 17, 2026 Oct 2, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM...Show more A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.Show less
CVE-2019-15040 1Jetbrains 1Youtrack Jun 17, 2026 Oct 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
CVE-2019-16993 2Debian Phpbb 2Debian Linux Phpbb Jun 17, 2026 Sep 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to r...Show more In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.Show less
CVE-2019-13376 1Phpbb 1Phpbb Jun 17, 2026 Sep 27, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
CVE-2019-16667 1Netgate 1Pfsense Jun 17, 2026 Sep 26, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try...Show more diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.Show less

Previous 1...346347348...468 Next