CVEbaza.plCWE DictionaryCWE-352
Common Weakness Enumeration

CWE-352

Cross-Site Request Forgery (CSRF)

Category: CompoundCVE: 10,574
Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

CVE vulnerabilities with CWE-352 (10,574)
10.0
CVSS
CRITICAL
CVE-2025-12479

Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

pub. 2025-10-29
10.0
CVSS
CRITICAL
CVE-2025-32642

Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This issue affects Vite Coupon: from n/a through <= 1.0.9.

pub. 2025-04-09
10.0
CVSS
CRITICAL
CVE-2025-23922

Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.

pub. 2025-01-16
10.0
CVSS
CRITICAL
CVE-2023-45128

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.

pub. 2023-10-16
10.0
CVSS
CRITICAL
CVE-2017-5145

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.

pub. 2017-02-13
10.0
CVSS
HIGH
CVE-2013-2762

The Schneider Electric Magelis XBT HMI controller has a default password for authentication of configuration uploads, which makes it easier for remote attackers to bypass intended access restrictions via crafted configuration data.

pub. 2013-04-04
9.8
CVSS
CRITICAL
CVE-2025-48340

Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.

pub. 2025-05-19
9.8
CVSS
CRITICAL
CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

pub. 2025-04-26
9.8
CVSS
CRITICAL
CVE-2025-31033

Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2.

pub. 2025-04-09
9.8
CVSS
CRITICAL
CVE-2025-23797

Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1.

pub. 2025-01-16
9.8
CVSS
CRITICAL
CVE-2024-56012

Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Flash News / Post (Responsive) flashnews-fading-effect-pearlbells allows Privilege Escalation.This issue affects Flash News / Post (Responsive): from n/a through <= 4.1.

pub. 2024-12-16
9.8
CVSS
CRITICAL
CVE-2024-44677

eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the DatabaseController.java component.

pub. 2024-09-10
9.8
CVSS
CRITICAL
CVE-2024-34502

An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.

pub. 2024-05-05
9.8
CVSS
CRITICAL
CVE-2024-33449

An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter

pub. 2024-04-29
9.8
CVSS
CRITICAL
CVE-2024-29684

DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /src/dede/makehtml_homepage.php allowing a remote attacker to execute arbitrary code.

pub. 2024-03-26
9.8
CVSS
CRITICAL
CVE-2023-4659

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE requests without any token value. Therefore, an unprivileged remote user is able to create, delete and modify users within theapplication.

pub. 2023-10-02
9.8
CVSS
CRITICAL
CVE-2022-20861

Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.

pub. 2022-07-21
9.8
CVSS
CRITICAL
CVE-2022-1574

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

pub. 2022-06-27
9.8
CVSS
CRITICAL
CVE-2022-1020

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument

pub. 2022-04-18
9.8
CVSS
CRITICAL
CVE-2021-25032

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.

pub. 2022-01-10
Showing 20 of 10,574 vulnerabilities
Information
ID: CWE-352
Type: Compound
Vulnerabilities: 10,574
MITRE CWE ↗
← CWE Dictionary