Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-5758 1Netiq 1Access Manager May 13, 2026 Mar 23, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load.
CVE-2017-5874 1D Link 1Dir 600m Firmware May 13, 2026 Mar 22, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_20170306. This can be used to bypass authentication and insert XSS sequences or possibly have unspecified other impact.
CVE-2016-4504 1Meteocontrol 1Weblog May 13, 2026 Mar 21, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB'log Basic 100 all versions, Light all versions, Pro all versions, and Pro Unlimited all versions. There is no CSRF Token generated per page or per fun...Show more A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB'log Basic 100 all versions, Light all versions, Pro all versions, and Pro Unlimited all versions. There is no CSRF Token generated per page or per function.Show less
CVE-2016-4928 1Juniper 1Junos Space May 13, 2026 Mar 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross site request forgery vulnerability in Junos Space before 15.2R2 allows remote attackers to perform certain administrative actions on Junos Space.
CVE-2017-6803 1Solarwinds 1Ftp Voyager May 13, 2026 Mar 20, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for request...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml.Show less
CVE-2017-7178 2Debian Deluge Torrent 2Debian Linux Deluge May 13, 2026 Mar 18, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to dow...Show more CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.Show less
CVE-2017-3877 1Cisco 1Unified Communications Manager May 13, 2026 Mar 17, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web i...Show more A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information: CSCvb70021. Known Affected Releases: 11.5(1.11007.2).Show less
CVE-2017-0045 1Microsoft 3Windows 7 Windows Server 2008Windows Vista May 13, 2026 Mar 17, 2017 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 Windows DVD Maker in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows Vista SP2 does not properly parse crafted .msdvd files, which allows attackers to obtain information to compromise a target system, aka...Show more Windows DVD Maker in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows Vista SP2 does not properly parse crafted .msdvd files, which allows attackers to obtain information to compromise a target system, aka "Windows DVD Maker Cross-Site Request Forgery Vulnerability."Show less
CVE-2017-6379 1Drupal 1Drupal May 13, 2026 Mar 16, 2017 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know...Show more Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.Show less
CVE-2017-6918 1Bigtreecms 1Bigtree Cms May 13, 2026 Mar 15, 2017 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6917 1Bigtreecms 1Bigtree Cms May 13, 2026 Mar 15, 2017 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2017-6916 1Bigtreecms 1Bigtree Cms May 13, 2026 Mar 15, 2017 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6915 1Bigtreecms 1Bigtree Cms May 13, 2026 Mar 15, 2017 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2017-6914 1Bigtreecms 1Bigtree Cms May 13, 2026 Mar 15, 2017 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.
CVE-2017-6366 1Netgear 1Dgn2200 Firmware May 13, 2026 Mar 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via...Show more Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.Show less
CVE-2016-8018 1Mcafee 1Virusscan Enterprise May 13, 2026 Mar 14, 2017 N/A· v4 4.3 MEDIUM· v3 6.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to execute unauthorized commands via a crafted user input.
CVE-2017-6180 1Keekoonvision 1Kk002 Ip Camera Firmware May 13, 2026 Mar 13, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng (and the entire set of other pages).
CVE-2017-6081 1Zammad 1Zammad May 13, 2026 Mar 13, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid ses...Show more A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie.Show less
CVE-2017-6080 1Zammad 1Zammad May 13, 2026 Mar 13, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can se...Show more An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result.Show less
CVE-2017-6819 1Wordpress 1Wordpress May 13, 2026 Mar 12, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request...Show more In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.Show less

Previous 1...402403404...466 Next