Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-5973 1Sukimalab 1Online Lesson Booking Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5971 1Sukimalab 1Attendance Manager Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5968 1Weseek 1Growi Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'.
CVE-2019-5963 1Zoho 1Salesiq Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-5960 1Custom4web 1Wp Open Graph Jun 17, 2026 Jul 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2019-6636 1F5 2Big Ip Advanced Firewall Manager Big Ip Application Security Manager Jun 17, 2026 Jul 3, 2019 N/A· v4 8.4 HIGH· v3 8.5 HIGH· v2 On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF whic...Show more On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.Show less
CVE-2019-12851 1Jetbrains 1Youtrack Jun 17, 2026 Jul 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
CVE-2019-5630 1Rapid7 1Nexpose Jun 17, 2026 Jul 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using F...Show more A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.Show less
CVE-2018-10986 1Open Xchange 1Ox Guard Nov 21, 2024 Jul 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 OX Guard 2.8.0 has CSRF.
CVE-2018-11427 1Moxa 2Oncell G3150 Hspa T Firmware Oncell G3150 Hspa Firmware Nov 21, 2024 Jul 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.
CVE-2017-8406 1Dlink 1Dcs 1130 Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the dev...Show more An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.Show less
CVE-2017-8407 1Dlink 1Dcs 1130 Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any...Show more An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change the user's password.Show less
CVE-2019-7262 1Nortekcontrol 2Linear Emerge Elite Firmware Linear Emerge Essential Firmware Jun 17, 2026 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF).
CVE-2019-7270 1Nortekcontrol 2Linear Emerge 5000p Firmware Linear Emerge 50p Firmware Jun 17, 2026 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Linear eMerge 50P/5000P devices allow Cross-Site Request Forgery (CSRF).
CVE-2019-13056 1Cyberpanel 1Cyberpanel Jun 17, 2026 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection.
CVE-2019-7273 1Optergy 2Enterprise Proton Jun 17, 2026 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF).
CVE-2019-7281 1Primasystems 1Flexair Jun 17, 2026 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visi...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website.Show less
CVE-2019-12826 1Wpchef 1Widget Logic Jun 17, 2026 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets...Show more A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.Show less
CVE-2018-20848 1Peel 1Peel Shopping Nov 21, 2024 Jun 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter.
CVE-2019-5814 4Debian FedoraprojectGoogle+1 more 5Backports ChromeDebian Linux+2 more Jun 17, 2026 Jun 27, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Previous 1...358359360...468 Next