Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-35656

Summary
Assigner-Pega
Assigner Org ID-c91e5604-2bd1-401f-a0ec-b25342b57ef9
Published At-22 Aug, 2022 | 14:47
Updated At-03 Aug, 2024 | 09:36
Rejected At-
Credits

Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Pega
Assigner Org ID:c91e5604-2bd1-401f-a0ec-b25342b57ef9
Published At:22 Aug, 2022 | 14:47
Updated At:03 Aug, 2024 | 09:36
Rejected At:
▼CVE Numbering Authority (CNA)

Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.

Affected Products
Vendor
Pegasystems
Product
Pega Infinity
Versions
Affected
  • From 8.3 before unspecified (custom)
  • From unspecified before 8.7.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352: Cross-Site Request Forgery
Type: CWE
CWE ID: CWE-352
Description: CWE-352: Cross-Site Request Forgery
Metrics
VersionBase scoreBase severityVector
3.06.8MEDIUM
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Kane Gamble from Blackfoot UK
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
x_refsource_MISC
Hyperlink: https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
x_refsource_MISC
x_transferred
Hyperlink: https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@pega.com
Published At:22 Aug, 2022 | 15:15
Updated At:23 Aug, 2022 | 16:45

Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Secondary3.06.8MEDIUM
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 4.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CPE Matches
pega
pega
>>pega_platform>>Versions from 8.3(inclusive) to 8.7.3(inclusive)
cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE-352Secondarysecurity@pega.com
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-352
Type: Secondary
Source: security@pega.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrixsecurity@pega.com
Vendor Advisory
Hyperlink: https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
Source: security@pega.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

19Records found
CVE-2017-17830
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.13% / 33.56%
||
7 Day CHG~0.00%
Published-21 Dec, 2017 | 05:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bus Booking Script has CSRF via admin/new_master.php.

Action-Not Available
Vendor-doditsolutionsn/a
Product-bus_booking_scriptn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-27265
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.04% / 8.87%
||
7 Day CHG~0.00%
Published-14 Mar, 2024 | 18:37
Updated-02 Aug, 2024 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Integration Bus for z/OS cross-site request forgery

IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-windowsintegration_buslinux_kernelz\/osIntegration Bus for z/OS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-2405
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.5||MEDIUM
EPSS-0.18% / 40.28%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 06:00
Updated-08 May, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Float menu < 6.0.1 - Menu Deletion via CSRF

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.

Action-Not Available
Vendor-wow-companyUnknownwow-company
Product-float_menuFloat menu float_menu
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13304
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-4.5||MEDIUM
EPSS-0.03% / 4.94%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:25
Updated-28 Aug, 2025 | 11:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Minify JS allows Cross Site Request Forgery.This issue affects Minify JS: from 0.0.0 before 3.0.3.

Action-Not Available
Vendor-matthiasmullieThe Drupal Association
Product-minify_jsMinify JS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-22701
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-4.5||MEDIUM
EPSS-0.15% / 36.48%
||
7 Day CHG~0.00%
Published-19 Feb, 2021 | 15:15
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface.

Action-Not Available
Vendor-n/a
Product-powerlogic_ion8650powerlogic_ion8400_firmwarepowerlogic_ion7410powerlogic_pm8000_firmwarepowerlogic_pm8000powerlogic_ion8300_firmwarepowerlogic_ion7400_firmwarepowerlogic_ion7650_firmwarepowerlogic_ion8800powerlogic_ion8600powerlogic_ion8500_firmwarepowerlogic_ion8300powerlogic_ion8500powerlogic_ion8600_firmwarepowerlogic_ion9000_firmwarepowerlogic_ion9000powerlogic_ion8400powerlogic_ion8800_firmwarepowerlogic_ion7400powerlogic_ion7650powerlogic_ion8650_firmwarePowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-5073
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.11% / 30.09%
||
7 Day CHG~0.00%
Published-03 Jan, 2018 | 20:00
Updated-17 Sep, 2024 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Online Ticket Booking has CSRF via admin/movieedit.php.

Action-Not Available
Vendor-advanced_real_estate_script_projectn/a
Product-advanced_real_estate_scriptn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-46062
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.08% / 25.10%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 00:00
Updated-22 Apr, 2025 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gym Management System v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Action-Not Available
Vendor-n/aAdrian Mercurio
Product-gym_management_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-10223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 34.59%
||
7 Day CHG~0.00%
Published-19 Apr, 2018 | 08:00
Updated-05 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.

Action-Not Available
Vendor-yzmcmsn/a
Product-yzmcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-25576
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.11% / 29.86%
||
7 Day CHG~0.00%
Published-24 Mar, 2022 | 22:06
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.

Action-Not Available
Vendor-anchorcmsn/a
Product-anchor_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-10224
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.14% / 34.59%
||
7 Day CHG~0.00%
Published-19 Apr, 2018 | 08:00
Updated-05 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.

Action-Not Available
Vendor-yzmcmsn/a
Product-yzmcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-20586
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.14% / 34.76%
||
7 Day CHG~0.00%
Published-08 Jul, 2021 | 15:44
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross site request forgery (CSRF) vulnerability in the /xyhai.php?s=/Auth/editUser URI of XYHCMS V3.6 allows attackers to edit any information of the administrator such as the name, e-mail, and password.

Action-Not Available
Vendor-xyhcmsn/a
Product-xyhcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-36191
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.12% / 32.36%
||
7 Day CHG~0.00%
Published-13 Jan, 2021 | 03:36
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

Action-Not Available
Vendor-jupytern/a
Product-jupyterhubn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13527
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-4.8||MEDIUM
EPSS-0.09% / 25.96%
||
7 Day CHG~0.00%
Published-17 Dec, 2020 | 23:38
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-lantronixn/a
Product-sgx_firmwarexport_edge_firmwarexport_edgesgxLantronix
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2228
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.8||MEDIUM
EPSS-0.06% / 17.16%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-6607
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.17% / 39.10%
||
7 Day CHG~0.00%
Published-28 Mar, 2019 | 20:39
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF which results in code execution as the admin user.

Action-Not Available
Vendor-BIG-IPF5, Inc.
Product-big-ip_application_security_managerBIG-IP (ASM)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-57523
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.22% / 44.78%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 00:00
Updated-22 Apr, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) in Users.php in SourceCodester Packers and Movers Management System 1.0 allows attackers to create unauthorized admin accounts via crafted requests sent to an authenticated admin user.

Action-Not Available
Vendor-n/aoretnom23
Product-packers_and_movers_management_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-47914
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-4.5||MEDIUM
EPSS-0.03% / 7.72%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 09:56
Updated-15 Nov, 2024 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF)

VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-VaeMendis
Product-VaeMendis Ubooquity version 2.1.2
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-17982
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.11% / 30.09%
||
7 Day CHG~0.00%
Published-30 Dec, 2017 | 04:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

Action-Not Available
Vendor-muslim_matrimonial_script_projectn/a
Product-muslim_matrimonial_scriptn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1000147
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.10% / 29.00%
||
7 Day CHG~0.00%
Published-03 Nov, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account.

Action-Not Available
Vendor-n/aMahara
Product-maharan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
Details not found