Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-17552 1Zohocorp 1Manageengine Admanager Plus Oct 24, 2025 Feb 7, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicio...Show more /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.Show less
CVE-2014-5280 1Boot2docker 1Boot2docker Nov 21, 2024 Feb 6, 2018 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication.
CVE-2018-6288 1Kaspersky 1Secure Mail Gateway Jun 17, 2026 Feb 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
CVE-2018-6656 1Zblogcn 1Z Blogphp Jun 17, 2026 Feb 6, 2018 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
CVE-2018-6467 1Flickrrss Project 1Flickrrss Jun 17, 2026 Feb 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
CVE-2018-6651 2Parsecgaming Uncurl Project 2Parsec Uncurl Jun 17, 2026 Feb 5, 2018 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote...Show more In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.Show less
CVE-2017-9414 1Subsonic 1Subsonic Nov 21, 2024 Feb 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scrip...Show more Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view.Show less
CVE-2015-4179 1Codestyling Localization Project 1Codestyling Localization Nov 21, 2024 Feb 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress.
CVE-2017-18080 1Atlassian 1Bamboo Nov 21, 2024 Feb 2, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18042 1Atlassian 1Bamboo Nov 21, 2024 Feb 2, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
CVE-2014-9502 1Open Atrium Project 1Open Atrium Nov 21, 2024 Feb 1, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims vi...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks.Show less
CVE-2018-0509 1Kkcald Project 1Kkcald Nov 21, 2024 Feb 1, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.
CVE-2018-6408 1Conceptronic 2Cipcamptiwl Firmware Cipcamptiwl Web Firmware Jun 17, 2026 Jan 30, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
CVE-2018-6391 1Netis Systems 1Wf2419 Firmware Jun 17, 2026 Jan 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
CVE-2017-1000356 1Jenkins 1Jenkins Nov 21, 2024 Jan 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim...Show more Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.Show less
CVE-2017-4951 1Vmware 1Airwatch Nov 21, 2024 Jan 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing...Show more VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices.Show less
CVE-2018-6007 1Joomsky 1Js Support Ticket Jun 17, 2026 Jan 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
CVE-2018-5720 1Dodocool 1Dc38 Firmware Jun 17, 2026 Jan 29, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication...Show more An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc.Show less
CVE-2018-6357 1Acurax 1Social Media Widget Jun 17, 2026 Jan 27, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widge...Show more The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.Show less
CVE-2017-1000504 1Jenkins 1Jenkins Nov 21, 2024 Jan 24, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which...Show more A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.Show less

Previous 1...387388389...466 Next