Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-10048 1Iscripts 1Eswap Nov 21, 2024 Apr 11, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel.
CVE-2018-10031 1Cmsmadesimple 1Cms Made Simple Nov 21, 2024 Apr 11, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
CVE-2018-10030 1Cmsmadesimple 1Cms Made Simple Nov 21, 2024 Apr 11, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
CVE-2018-9927 1Wuzhicms 1Wuzhicms Jun 17, 2026 Apr 10, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
CVE-2018-9926 1Wuzhicms 1Wuzhicms Jun 17, 2026 Apr 10, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
CVE-2018-9923 1Icmsdev 1Icms Jun 17, 2026 Apr 10, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
CVE-2018-9856 1Kotti Project 1Kotti Jun 17, 2026 Apr 9, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.
CVE-2014-5072 1Wpsecurityauditlog 1Wp Security Audit Log Nov 21, 2024 Apr 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2014-5034 1Fresh Media 1Brute Force Login Protection Nov 21, 2024 Apr 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact...Show more Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection page to wp-admin/options-general.php.Show less
CVE-2018-1000153 1Jenkins 1Vsphere Nov 21, 2024 Apr 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.ja...Show more A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").Show less
CVE-2018-6874 1Auth0 1Auth0.js Jun 17, 2026 Apr 4, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
CVE-2018-8814 1Wolfcms 1Wolf Cms Jun 17, 2026 Apr 4, 2018 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.
CVE-2017-3965 1Mcafee 1Network Security Manager Nov 21, 2024 Apr 4, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrie...Show more Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the database via specially crafted URLs.Show less
CVE-2018-1098 2Fedoraproject Redhat 2Etcd Fedora Nov 21, 2024 Apr 3, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theore...Show more A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.Show less
CVE-2018-8908 1Frog Cms Project 1Frog Cms Jun 17, 2026 Mar 31, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once e...Show more An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin privileges. This happens due to lack of an anti-CSRF token in state modification requests.Show less
CVE-2018-8893 1Zblogcn 1Z Blogphp Jun 17, 2026 Mar 31, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
CVE-2018-9134 1Dedecms 1Dedecms Jun 17, 2026 Mar 30, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the...Show more file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.Show less
CVE-2015-2009 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Mar 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of a...Show more Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences via vectors related to webmin. IBM X-Force ID: 103921.Show less
CVE-2018-9108 1Quickappscms 1Quickapps Cms Jun 17, 2026 Mar 28, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.
CVE-2018-9092 11234n 1Minicms Jun 17, 2026 Mar 27, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.

Previous 1...383384385...466 Next