Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-1010094 1Domainmod 1Domainmod Jun 17, 2026 Jul 18, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/adm...Show more domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.Show less
CVE-2019-1010054 1Dolibarr 1Dolibarr Erp/crm Jun 17, 2026 Jul 18, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password cha...Show more Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.Show less
CVE-2019-10353 1Jenkins 1Jenkins Jun 17, 2026 Jul 17, 2019 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
CVE-2019-13611 1Python Engineio Project 1Python Engineio Jun 17, 2026 Jul 16, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, b...Show more An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.Show less
CVE-2019-13594 1Mirumee 1Saleor Jun 17, 2026 Jul 14, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.
CVE-2019-13563 1Dlink 1Dir 655 Firmware Jun 17, 2026 Jul 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.
CVE-2019-12363 1Mybb 2fa Project 1Mybb 2fa Jun 17, 2026 Jul 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (o...Show more An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the security of the targeted account by disabling two factor authentication.Show less
CVE-2019-10340 1Jenkins 1Docker Jun 17, 2026 Jul 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using atta...Show more A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.Show less
CVE-2019-12466 2Debian Mediawiki 2Debian Linux Mediawiki Jun 17, 2026 Jul 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Wikimedia MediaWiki through 1.32.1 allows CSRF.
CVE-2019-13071 1Cyberpowersystems 1Powerpanel Jun 17, 2026 Jul 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user i...Show more CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page.Show less
CVE-2018-12628 1Eventum Project 1Eventum Nov 21, 2024 Jul 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users.php allows creating another user with admin privileges.
CVE-2019-12923 1Mailenable 1Mailenable Jun 17, 2026 Jul 8, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from t...Show more In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.Show less
CVE-2019-13401 1Fortinet 1Fcm Mb40 Firmware Jun 17, 2026 Jul 8, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.
CVE-2019-13183 1Flarum 1Flarum Jun 17, 2026 Jul 7, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
CVE-2019-13370 1Ignitedcms 1Ignitedcms Jun 17, 2026 Jul 6, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator.
CVE-2019-5984 1Waspthemes 1Custom Css Pro Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5983 1Fla Shop 1Html5 Maps Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5980 1Meomundo 1Related Youtube Videos Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Related YouTube Videos versions prior to 1.9.9 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5979 1Najeebmedia 1Personalized Woocommerce Cart Page Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5974 1Contest Gallery 1Contest Gallery Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Previous 1...357358359...468 Next