Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-8100 1Artistscope 1Copysafe Web Protection May 13, 2026 Apr 24, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings.
CVE-2017-8099 1Browserweb Inc 1Whizz May 13, 2026 Apr 24, 2017 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing attackers to delete any WordPress users and change the plugin's status via a GET request.
CVE-2017-8098 1E107 1E107 May 13, 2026 Apr 24, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the...Show more e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.Show less
CVE-2016-3691 1Kallithea Scm 1Kallithea May 13, 2026 Apr 24, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.
CVE-2017-7852 1Dlink 26Dcs 2132l Firmware Dcs 2136l FirmwareDcs 2210l Firmware+23 more May 13, 2026 Apr 24, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from do...Show more D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.Show less
CVE-2017-8082 1Concretecms 1Concrete Cms May 13, 2026 Apr 24, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/f...Show more concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators.Show less
CVE-2016-0720 3Clusterlabs FedoraprojectRedhat 3Enterprise Linux FedoraPcs May 13, 2026 Apr 21, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
CVE-2017-7951 1Wondercms 1Wondercms May 13, 2026 Apr 21, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
CVE-2017-7990 1Openmrs 1Openmrs Module Reporting May 13, 2026 Apr 21, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
CVE-2016-5401 1Redhat 2Jboss Bpm Suite Jboss Enterprise Brms Platform May 13, 2026 Apr 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.
CVE-2016-3734 1Moodle 1Moodle May 13, 2026 Apr 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of...Show more Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.Show less
CVE-2016-1161 1Zohocorp 1Password Manager Pro May 13, 2026 Apr 20, 2017 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).
CVE-2017-5156 1Aveva 1Wonderware Intouch Access Anywhere May 13, 2026 Apr 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external si...Show more A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user.Show less
CVE-2017-7881 1Bigtreecms 1Bigtree Cms May 13, 2026 Apr 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header....Show more BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.Show less
CVE-2017-7877 1Flatcore 1Flatcore Cms May 13, 2026 Apr 14, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
CVE-2016-4891 1Setucocms Project 1Setucocms May 13, 2026 Apr 12, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.
CVE-2015-7563 1Teampass 1Teampass May 13, 2026 Apr 12, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.
CVE-2016-8718 1Moxa 1Awk 3131a Firmware May 13, 2026 Apr 12, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an...Show more An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.Show less
CVE-2016-4319 1Atlassian 1Jira May 13, 2026 Apr 10, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
CVE-2015-8255 1Axis 1Axis Communications Firmware May 13, 2026 Apr 10, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.

Previous 1...400401402...466 Next