Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,334)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-1797 1Cisco 1Wireless Lan Controller Software Jun 17, 2026 Apr 18, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbi...Show more A vulnerability in the web-based management interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on the device with the privileges of the user, including modifying the device configuration. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an interface user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the user. Software versions prior to 8.3.150.0, 8.5.135.0, and 8.8.100.0 are affected.Show less
CVE-2019-1722 1Cisco 2Expressway Series Telepresence Video Communication Server Jun 17, 2026 Apr 18, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the FindMe feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) atta...Show more A vulnerability in the FindMe feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. The arbitrary actions include adding an attacker-controlled device and redirecting calls intended for a specific user. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. This vulnerability is fixed in software version X12.5.1 and later.Show less
CVE-2019-10642 1Contao 1Contao Cms Jun 17, 2026 Apr 17, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Contao 4.7 allows CSRF.
CVE-2019-9176 1Gitlab 1Gitlab Jun 17, 2026 Apr 17, 2019 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF.
CVE-2018-13810 1Siemens 2Cp 1604 Firmware Cp 1616 Firmware Nov 21, 2024 Apr 17, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsus...Show more A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known.Show less
CVE-2018-16966 1Filemanagerpro 1File Manager Nov 21, 2024 Apr 15, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter.
CVE-2018-17584 1Wpfastestcache 1Wp Fastest Cache Nov 21, 2024 Apr 15, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The WP Fastest Cache plugin 0.8.8.5 for WordPress has CSRF via the wp-admin/admin.php wpfastestcacheoptions page.
CVE-2017-18366 1Intelliants 1Subrion Cms Nov 21, 2024 Apr 15, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Subrion CMS 4.1.5 has CSRF in blog/delete/.
CVE-2019-11078 1Mkcms Project 1Mkcms Jun 17, 2026 Apr 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI.
CVE-2019-11077 1Fastadmin 1Fastadmin Jun 17, 2026 Apr 11, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new admin user via the admin/auth/admin/add?dialog=1 URI.
CVE-2019-0229 1Apache 1Airflow Jun 17, 2026 Apr 10, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
CVE-2018-2000 1Ibm 2Business Automation Workflow Business Process Manager Nov 21, 2024 Apr 8, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trus...Show more IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154890.Show less
CVE-2019-10888 1Ukcms 1Ukcms Jun 17, 2026 Apr 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html.
CVE-2018-20816 1Salesagility 1Suitecrm Nov 21, 2024 Apr 5, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" featur...Show more An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.Show less
CVE-2019-10874 1Boltcms 1Bolt Jun 17, 2026 Apr 5, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edi...Show more Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.Show less
CVE-2019-10292 1Jenkins 1Kmap Jun 17, 2026 Apr 4, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.
CVE-2019-10289 1Jenkins 1Netsparker Cloud Scan Jun 17, 2026 Apr 4, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an...Show more A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.Show less
CVE-2019-10278 1Jenkins 1Jenkins Reviewbot Jun 17, 2026 Apr 4, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified serve...Show more A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.Show less
CVE-2019-1003098 1Jenkins 1Openid Jun 17, 2026 Apr 4, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server...Show more A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.Show less
CVE-2019-1003092 1Jenkins 1Nomad Jun 17, 2026 Apr 4, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

Previous 1...362363364...467 Next