Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-352 (跨站请求伪造(CSRF)) — Vulnerability Class 4777

4777 vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)). AI Chinese analysis included.

CWE-352, Cross-Site Request Forgery, is a web application weakness where the system fails to verify that an incoming request was intentionally initiated by the authenticated user rather than an unauthorized actor. Attackers typically exploit this vulnerability by tricking a victim into submitting a malicious request, often via a hidden link or form on a third-party site, while the victim is logged into the target application. Because the browser automatically includes valid session cookies, the server processes the forged request as legitimate, potentially allowing unauthorized actions like fund transfers or profile changes. Developers mitigate this risk by implementing anti-CSRF tokens, synchronizer tokens, or validating the Origin and Referer headers to ensure requests originate from trusted sources, thereby preventing unauthorized state changes.

MITRE CWE Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Common Consequences (1)
Confidentiality, Integrity, Availability, Non-Repudiation, Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart
The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
ImplementationEnsure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]
Architecture and DesignIdentify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
Architecture and DesignUse the "double-submitted cookie" method as described by Felten and Zeller: When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the f…
Examples (1)
This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.
<form action="/url/profile.php" method="post"> <input type="text" name="firstname"/> <input type="text" name="lastname"/> <br/> <input type="text" name="email"/> <input type="submit" name="submit" value="Update"/> </form>
Bad · HTML
// initiate the session in order to validate sessions session_start(); //if the session is registered to a valid user then allow update if (! session_is_registered("username")) { echo "invalid session detected!"; // Redirect user to login page [...] exit; } // The user session is valid, so process the request // and update the information update_profile(); function update_profile { // read in the data from $POST and send an update // to the database SendUpdateToDatabase($_SESSION['username'], $_POST['email']); [...] echo "Your profile has been successfully updated."; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2021-24685 Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting — Flat Preloader 5.4 -2021-11-01
CVE-2021-24572 Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion — Accept Donations with PayPal 4.3 -2021-11-01
CVE-2021-24570 Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting — Accept Donations with PayPal 4.7 -2021-11-01
CVE-2020-36505 Delete All Comments Easily <= 1.3 - All Comments Deletion via CSRF — Delete All Comments Easily 4.3 -2021-11-01
CVE-2020-36504 WP-Pro-Quiz <= 0.37 - Arbitrary Quiz Deletion via CSRF — Wp-Pro-Quiz 6.5 -2021-11-01
CVE-2015-10001 WP-Stats < 2.5.2 - CSRF to Stored Cross-Site Scripting (XSS) — WP-Stats 4.3 -2021-11-01
CVE-2021-3901 Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii — firefly-iii/firefly-iii 4.3 -2021-10-27
CVE-2021-3900 Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii — firefly-iii/firefly-iii 4.3 -2021-10-27
CVE-2021-41176 logout CSRF in Pterodactyl Panel — panel 4.3 Medium2021-10-25
CVE-2021-24543 jQuery Reply to Comment <= 1.31 - CSRF to Stored Cross-Site Scripting — jQuery Reply to Comment 6.1 -2021-10-25
CVE-2021-24487 St Daily Tip <= 4.7 - CSRF to Stored Cross-Site Scripting — St-Daily-Tip 5.4 -2021-10-25
CVE-2021-34743 Cisco Webex Software Application Authorization Bypass Vulnerability — Cisco Webex Meetings 4.3 Medium2021-10-21
CVE-2021-3858 Cross-Site Request Forgery (CSRF) in snipe/snipe-it — snipe/snipe-it 4.3 -2021-10-19
CVE-2021-38480 InHand Networks IR615 Router — IR615 Router 9.6 Critical2021-10-19
CVE-2021-24735 Compact WP Audio Player < 1.9.7 - Setting Change via CSRF — Compact WP Audio Player 6.5 -2021-10-18
CVE-2021-24675 One User Avatar < 2.3.7 - Avatar Update via CSRF — One User Avatar | User Profile Picture 6.5 -2021-10-18
CVE-2021-24642 Scroll Baner <= 1.0 - CSRF to RCE — Scroll Baner 6.5 -2021-10-18
CVE-2021-24615 Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting — 微信打赏(Wechat Reward) 5.4 -2021-10-18
CVE-2021-24595 WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting — Wp Cookie Choice 6.5 -2021-10-18
CVE-2021-39864 Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition — Magento Commerce 6.5 Medium2021-10-15
CVE-2021-24711 Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF — Software License Manager 8.8 -2021-10-11
CVE-2021-24683 Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting — Weather Effect – Christmas Santa Snow Falling 5.4 -2021-10-11
CVE-2021-41113 Cross-Site-Request-Forgery in Backend URI Handling in Typo3 — typo3 8.8 High2021-10-05
CVE-2021-36850 WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability — Media File Renamer – Auto & Manual Rename (WordPress plugin) 5.4 Medium2021-10-04
CVE-2021-41295 ECOA BAS controller - Cross-Site Request Forgery (CSRF) — ECS Router Controller ECS (FLASH) 8.8 High2021-09-30
CVE-2021-34636 Countdown and CountUp, WooCommerce Sales Timer <= 1.5.7 Cross-Site Request Forgery to Stored Cross-Site Scripting — Countdown and CountUp, WooCommerce Sales Timers 8.8 High2021-09-28
CVE-2021-36877 WordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability — uListing (WordPress plugin) 4.3 Medium2021-09-27
CVE-2021-36876 WordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities — uListing (WordPress plugin) 5.4 Medium2021-09-27
CVE-2021-36878 WordPress uListing plugin <= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability — uListing (WordPress plugin) 4.3 Medium2021-09-27
CVE-2021-3819 Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii — firefly-iii/firefly-iii 4.3 -2021-09-27

Vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)) represent 4777 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.