Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-11886 1Yellowpencil 1Visual Css Style Editor Jun 17, 2026 May 13, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
CVE-2018-1790 1Ibm 1Financial Transaction Manager Nov 21, 2024 May 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a u...Show more IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 148944.Show less
CVE-2017-12789 1Metinfo 1Metinfo Nov 21, 2024 May 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the...Show more Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state.Show less
CVE-2017-12790 1Metinfo 1Metinfo Nov 21, 2024 May 9, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in...Show more Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state.Show less
CVE-2019-7746 1Jio 1Jmr1140 Firmware Jun 17, 2026 May 7, 2019 N/A· v4 8.1 HIGH· v3 4.3 MEDIUM· v2 JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to cha...Show more JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.Show less
CVE-2018-2001 1Ibm 1Curam Social Program Management Nov 21, 2024 May 7, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Cram Social Program Management 6.1.1, 6.2.0, 7.0.4, and 7.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the w...Show more IBM Cram Social Program Management 6.1.1, 6.2.0, 7.0.4, and 7.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154891.Show less
CVE-2018-13993 1Phoenixcontact 29Fl Switch 3004t Fx Firmware Fl Switch 3004t Fx St FirmwareFl Switch 3005 Firmware+26 more Nov 21, 2024 May 7, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 to 1.34 is prone to CSRF.
CVE-2019-11569 1Veeam 1One Reporter Jun 17, 2026 May 6, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Veeam ONE Reporter 9.5.0.3201 allows CSRF.
CVE-2018-4066 1Sierrawireless 1Airlink Es450 Firmware Nov 21, 2024 May 6, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privil...Show more An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability.Show less
CVE-2019-5431 1Twitter 1Twitter Kit Jun 17, 2026 May 6, 2019 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 This vulnerability was caused by an incomplete fix to CVE-2017-0911. Twitter Kit for iOS versions 3.0 to 3.4.0 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to p...Show more This vulnerability was caused by an incomplete fix to CVE-2017-0911. Twitter Kit for iOS versions 3.0 to 3.4.0 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity of the response, this step is vulnerable to forgery, potentially allowing attacker to associate a Twitter account with a third-party service.Show less
CVE-2019-5430 1Ui 1Unifi Video Jun 17, 2026 May 6, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticat...Show more In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.Show less
CVE-2019-1857 1Cisco 14Hx220c Af M5 Firmware Hx220c All Nvme M5 FirmwareHx220c Edge M5 Firmware+11 more Jun 17, 2026 May 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an...Show more A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user.Show less
CVE-2019-1713 1Cisco 1Adaptive Security Appliance Software Jun 17, 2026 May 3, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affect...Show more A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration of, extract information from, or reload an affected device.Show less
CVE-2019-11617 1Doorgets 1Doorgets Cms Jun 17, 2026 Apr 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 doorGets 7.0 has a CSRF vulnerability in /doorgets/app/requests/user/configurationRequest.php. A remote attacker can exploit this vulnerability for "Google Analytics code" modification.
CVE-2019-11193 1Directadmin 1Directadmin Jun 17, 2026 Apr 30, 2019 N/A· v4 6.1 MEDIUM· v3 6.8 MEDIUM· v2 The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.
CVE-2018-15206 1Bpcbt 1Smartvista Nov 21, 2024 Apr 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 BPC SmartVista 2 has CSRF via SVFE2/pages/admpages/roles/createrole.jsf.
CVE-2018-14930 1Polarisft 1Intellect Core Banking Nov 21, 2024 Apr 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in the Armor module in Polaris FT Intellect Core Banking 9.7.1. CSRF can occur via a /CollatWebApp/gcmsRefInsert?name=SUPP URI.
CVE-2019-10315 1Jenkins 1Github Authentication Jun 17, 2026 Apr 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.
CVE-2019-10310 1Jenkins 1Ansible Tower Jun 17, 2026 Apr 30, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission...Show more A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in JenkinsShow less
CVE-2019-10307 1Jenkins 1Static Analysis Utilities Jun 17, 2026 Apr 30, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default grap...Show more A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.Show less

Previous 1...361362363...468 Next