Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-17827 1Piwigo 1Piwigo May 13, 2026 Dec 21, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing uni...Show more Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.Show less
CVE-2017-5263 1Cambiumnetworks 5Cnpilot E400 Firmware Cnpilot E410 FirmwareCnpilot E600 Firmware+2 more May 13, 2026 Dec 20, 2017 N/A· v4 8.0 HIGH· v3 5.4 MEDIUM· v2 Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any...Show more Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones.Show less
CVE-2017-1746 1Ibm 1Jazz For Service Management May 13, 2026 Dec 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the websi...Show more IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135519.Show less
CVE-2017-1631 1Ibm 1Jazz For Service Management May 13, 2026 Dec 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the websi...Show more IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140.Show less
CVE-2017-17774 1Piwigo 1Piwigo May 13, 2026 Dec 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 admin/configuration.php in Piwigo 2.9.2 has CSRF.
CVE-2017-14092 1Trendmicro 1Scanmail May 13, 2026 Dec 16, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.
CVE-2017-5264 1Rapid7 1Nexpose May 13, 2026 Dec 14, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) at...Show more Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.Show less
CVE-2017-14362 1Microfocus 1Project And Portfolio Management May 13, 2026 Dec 13, 2017 N/A· v4 7.3 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability could be exploited to allow a Cross-Site Forgery attack.
CVE-2017-17056 1Zkteco 1Zktime Web May 13, 2026 Dec 4, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_pa...Show more The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI. An attacker takes advantage of this scenario and creates a crafted CSRF link to add himself as an administrator to the ZKTime Web Software. He then uses social engineering methods to trick the administrator into clicking the forged HTTP request. The request is executed and the attacker becomes the Administrator of the ZKTime Web Software. If the vulnerability is successfully exploited, then an attacker (who would be a normal user of the web application) can escalate his privileges and become the administrator of ZKTime Web Software.Show less
CVE-2017-12631 1Apache 1Cxf Fediz May 13, 2026 Nov 30, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4...Show more Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.Show less
CVE-2016-10701 1Hitachivantara 1Pentaho Business Analytics May 13, 2026 Nov 28, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
CVE-2017-8138 1Huawei 1Hedex Lite May 13, 2026 Nov 22, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and...Show more HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services.Show less
CVE-2017-4928 1Vmware 1Vcenter Server May 13, 2026 Nov 17, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker...Show more The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.Show less
CVE-2017-1000224 1Embedplus 1Youtube May 13, 2026 Nov 17, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
CVE-2017-15516 1Netapp 1Snapcenter Server May 13, 2026 Nov 16, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface.
CVE-2017-7851 1D Link 1Dcs 936l May 13, 2026 Nov 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
CVE-2017-11876 1Microsoft 2Project Server Sharepoint Enterprise Server May 13, 2026 Nov 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the...Show more Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim, aka "Microsoft Project Server Elevation of Privilege Vulnerability".Show less
CVE-2017-16780 1Mybb 1Mybb May 13, 2026 Nov 10, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
CVE-2017-16570 1Keystonejs 1Keystone May 13, 2026 Nov 6, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-tok...Show more KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.Show less
CVE-2017-16565 1Grandstream 1Ht802 Firmware May 13, 2026 Nov 6, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.

Previous 1...390391392...466 Next