Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-7464 1Csrf Magic Project 1Csrf Magic Nov 21, 2024 Aug 8, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret...Show more In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.Show less
CVE-2018-7060 1Arubanetworks 1Clearpass Jun 17, 2026 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrativ...Show more Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.Show less
CVE-2018-14978 1Q Cms 1Qcms Nov 21, 2024 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI.
CVE-2018-14966 1Emlsoft Project 1Emlsoft Nov 21, 2024 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF.
CVE-2018-14965 1Emlsoft Project 1Emlsoft Nov 21, 2024 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF.
CVE-2018-14963 1Zzcms 1Zzcms Nov 21, 2024 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.
CVE-2018-14960 1Xiao5ucompany Project 1Xiao5ucompany Nov 21, 2024 Aug 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Xiao5uCompany 1.7 has CSRF via admin/Admin.asp.
CVE-2018-14959 1Weaselcms Project 1Weaselcms Nov 21, 2024 Aug 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
CVE-2018-14958 1Weaselcms Project 1Weaselcms Nov 21, 2024 Aug 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
CVE-2018-14926 1Matera 1Banco Nov 21, 2024 Aug 3, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.
CVE-2018-14910 1Seacms 1Seacms Nov 21, 2024 Aug 3, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php....Show more SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.Show less
CVE-2018-14908 1Samsung 1Syncthru Web Service Nov 21, 2024 Aug 3, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.
CVE-2018-0413 1Cisco 1Identity Services Engine Software Nov 21, 2024 Aug 1, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary ac...Show more A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Bug IDs: CSCvi85159.Show less
CVE-2018-1999027 1Jenkins 1Saltstack Nov 21, 2024 Aug 1, 2018 N/A· v4 7.5 HIGH· v3 6.8 MEDIUM· v2 An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID st...Show more An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.Show less
CVE-2018-14603 1Gitlab 1Gitlab Nov 21, 2024 Jul 27, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
CVE-2018-14583 1Xyhcms 1Xyhcms Nov 21, 2024 Jul 24, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
CVE-2018-14582 1Bagesoft 1Bagecms Nov 21, 2024 Jul 24, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.
CVE-2017-3187 1Dotcms 1Dotcms Nov 21, 2024 Jul 24, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perfor...Show more The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.Show less
CVE-2018-14421 1Seacms 1Seacms Nov 21, 2024 Jul 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This...Show more SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.Show less
CVE-2018-14420 1Metinfo 1Metinfo Nov 21, 2024 Jul 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

Previous 1...376377378...466 Next