CWE-352— Cross-Site Request Forgery (CSRF)
8,653 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 58 of 174
- CVE-2021-25117MEDIUMCVSS 4.8EG 4.82024-01-16
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administ…
- CVE-2021-25326MEDIUMCVSS 5.4EG 5.42021-04-09
Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web UI password may be …
- CVE-2021-25327MEDIUMCVSS 6.5EG 6.52021-04-09
Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are…
- CVE-2021-25765HIGHCVSS 8.8EG 8.82021-02-03
In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
- CVE-2021-25924HIGHCVSS 8.8EG 8.82021-04-01
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup c…
- CVE-2021-25930MEDIUMCVSS 4.3EG 4.32021-05-20
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.…
- CVE-2021-25931HIGHCVSS 8.8EG 8.82021-05-20
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.…
- CVE-2021-25965HIGHCVSS 8.8EG 8.82021-11-16
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credenti…
- CVE-2021-25976HIGHCVSS 8.1EG 8.12021-11-16
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a medi…
- CVE-2021-26033MEDIUMCVSS 6.5EG 6.52021-05-26
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
- CVE-2021-26034MEDIUMCVSS 6.5EG 6.52021-05-26
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
- CVE-2021-26071LOWCVSS 3.5EG 3.52021-04-01
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira …
- CVE-2021-26215MEDIUMCVSS 4.3EG 4.32021-03-18
SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php.
- CVE-2021-26216MEDIUMCVSS 4.3EG 4.32021-03-18
SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php.
- CVE-2021-26296HIGHCVSS 7.5EG 7.52021-02-19
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that li…
- CVE-2021-26474HIGHCVSS 8.6EG 8.82021-06-08
Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.)
- CVE-2021-26800MEDIUMCVSS 6.5EG 6.52021-12-16
Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.
- CVE-2021-26960HIGHCVSS 8.8EG 8.82021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauth…
- CVE-2021-26961HIGHCVSS 8.8EG 8.82021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauth…
- CVE-2021-27181HIGHCVSS 8.8EG 8.82021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and …
- CVE-2021-27557MEDIUMCVSS 4.3EG 4.32021-08-31
A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job.
- CVE-2021-27701MEDIUMCVSS 4.7EG 4.72024-11-12
SOCIFI Socifi Guest wifi as SAAS is affected by Cross Site Request Forgery (CSRF) via the Socifi wifi portal. The application does not contain a CSRF token and request validation. An attacker can Add/Modify any random user data by sending …
- CVE-2021-27704MEDIUMCVSS 6.5EG 6.52024-11-12
Appspace 6.2.4 is affected by Incorrect Access Control via the Appspace Web Portal password reset page.
- CVE-2021-27758MEDIUMCVSS 4.3EG 6.52022-05-06
There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account.
- CVE-2021-27759LOWCVSS 2.3EG 6.52022-05-06
This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary …
- CVE-2021-27885HIGHCVSS 8.8EG 8.82021-03-02
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
- CVE-2021-27927HIGHCVSS 8.8EG 8.82021-03-03
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controlle…
- CVE-2021-28070MEDIUMCVSS 4.3EG 4.32021-08-25
Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete.
- CVE-2021-28280MEDIUMCVSS 6.1EG 6.12021-04-29
CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML
- CVE-2021-28490HIGHCVSS 8.8EG 8.82021-08-19
In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.
- CVE-2021-28656MEDIUMCVSS 5.4EG 5.42024-04-09
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
- CVE-2021-29050HIGHCVSS 8.8EG 8.82024-02-20
Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social…
- CVE-2021-29054HIGHCVSS 8.8EG 8.82021-04-13
Certain Papoo products are affected by: Cross Site Request Forgery (CSRF) in the admin interface. This affects Papoo CMS Light through 21.02 and Papoo CMS Pro through 6.0.1. The impact is: gain privileges (remote).
- CVE-2021-29238HIGHCVSS 8.8EG 8.82021-05-03
CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF).
- CVE-2021-29334HIGHCVSS 8.8EG 8.82022-11-23
An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html
- CVE-2021-29349MEDIUMCVSS 6.5EG 6.52021-03-31
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipi…
- CVE-2021-29400MEDIUMCVSS 6.5EG 6.52021-08-10
A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visi…
- CVE-2021-29435HIGHCVSS 8.1EG 8.12021-04-13
trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a vic…
- CVE-2021-29436MEDIUMCVSS 5.4EG 5.42021-04-13
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user ma…
- CVE-2021-29624MEDIUMCVSS 6.5EG 6.52021-05-19
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple s…
- CVE-2021-29660HIGHCVSS 8.8EG 8.82021-04-02
A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by a…
- CVE-2021-29756HIGHCVSS 8.8EG 8.82021-12-03
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM…
- CVE-2021-29757HIGHCVSS 8.8EG 8.82021-08-02
IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.
- CVE-2021-29816MEDIUMCVSS 6.5EG 6.52021-09-23
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website tr…
- CVE-2021-29823MEDIUMCVSS 6.5EG 6.52022-09-01
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.
- CVE-2021-29837HIGHCVSS 8.8EG 8.82021-10-06
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. I…
- CVE-2021-29888HIGHCVSS 8.8EG 8.82021-11-02
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 207123.
- CVE-2021-29995HIGHCVSS 8.8EG 8.82021-06-09
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1,…
- CVE-2021-30112MEDIUMCVSS 6.5EG 6.52021-04-08
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to valida…
- CVE-2021-30114MEDIUMCVSS 6.5EG 6.52021-04-08
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token fo…
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →