Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-2539 1Atutor 1Atutor May 13, 2026 Feb 7, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary P...Show more Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file.Show less
CVE-2017-5368 1Zoneminder 1Zoneminder May 13, 2026 Feb 6, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in vict...Show more ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).Show less
CVE-2016-6103 1Ibm 1Security Key Lifecycle Manager May 13, 2026 Feb 2, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2016-8941 1Ibm 2Spectrum Control Tivoli Storage Productivity Center May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Tivoli Storage Productivity Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2016-6045 1Ibm 1Tivoli Storage Manager May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2016-5937 1Ibm 1Kenexa Lcms Premier May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2016-3029 1Ibm 3Security Access Manager 9.0 Firmware Security Access Manager For Mobile 8.0 FirmwareSecurity Access Manager For Web 8.0 Firmware May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2017-3794 1Cisco 1Webex Meetings Server May 13, 2026 Jan 26, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Aff...Show more A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.12.Show less
CVE-2016-9218 1Cisco 1Hybrid Meeting Server May 13, 2026 Jan 26, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Kn...Show more A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0.Show less
CVE-2016-6521 1Gopivotal 1Grails May 13, 2026 Jan 23, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests th...Show more Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors.Show less
CVE-2016-3406 1Synacor 1Zimbra Collaboration Suite May 13, 2026 Jan 18, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader ext...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.Show less
CVE-2016-6897 1Wordpress 1Wordpress May 13, 2026 Jan 18, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for...Show more Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.Show less
CVE-2016-7980 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator...Show more Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.Show less
CVE-2016-7904 1Cmsmadesimple 1Cms Made Simple May 13, 2026 Jan 16, 2017 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.
CVE-2017-5492 1Wordpress 1Wordpress May 13, 2026 Jan 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that per...Show more Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.Show less
CVE-2017-5489 1Wordpress 1Wordpress May 13, 2026 Jan 15, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
CVE-2016-8201 1Brocade 1Virtual Traffic Manager May 13, 2026 Jan 14, 2017 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.
CVE-2017-5476 1S9y 1Serendipity May 13, 2026 Jan 14, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
CVE-2017-5475 1S9y 1Serendipity May 13, 2026 Jan 14, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
CVE-2017-5473 1Ntop 1Ntopng May 13, 2026 Jan 14, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/del...Show more Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.Show less

Previous 1...404405406...466 Next