This article is a part of our Vulnerability Database (back to index)
Cross-Site Request Forgery occurrences in Debian Linux
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects. (2022-07-28, CVE-2022-30287)
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. (2021-12-02, CVE-2021-44227)
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). (2021-10-21, CVE-2021-42097)
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. (2020-11-02, CVE-2020-28040)
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. (2020-07-02, CVE-2020-8166)
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. (2020-06-19, CVE-2020-8167)
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. (2020-05-04, CVE-2020-12626)
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. (2019-09-30, CVE-2019-16993)
Wikimedia MediaWiki through 1.32.1 allows CSRF. (2019-07-10, CVE-2019-12466)
Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (2019-06-27, CVE-2019-5814)
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. (2018-10-18, CVE-2018-12364)
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. (2018-06-13, CVE-2018-11406)
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging. (2018-03-27, CVE-2018-8764)
Why Cross-Site Request Forgery can be dangerous
The absence of Anti-CSRF tokens may lead to a Cross-Site Request Forgery attack that can result in executing a specific application action as another logged in user, e.g. steal their account by changing their email and password or silently adding a new admin user account when executed from the administrator account.
The attacker may copy one of your web application forms, e.g. email/password change form.
The webpage will contain a form with the exact set of fields as the original application but with input values already provided and the submit button replaced with a Javascript code causing auto-submission. When the page is accessed the form will be immediately submitted and page contents replaced with a valid content or a redirect to your original application.
One of your application users who is already logged in can be then tricked to navigate to such malicious page e.g. by clicking a link in a phishing email, and the pre-populated form content will be submitted to your application like it would be submitted by your user.