Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-62:Cross Site Request Forgery
Attack Pattern ID:62
Version:v3.9
Attack Pattern Name:Cross Site Request Forgery
Abstraction:Standard
Status:Draft
Likelihood of Attack:High
Typical Severity:Very High
DetailsContent HistoryRelated WeaknessesReports
5Weaknesses found
CWE-1275
Sensitive Cookie with Improper SameSite Attribute
ShareView Details
Sensitive Cookie with Improper SameSite Attribute
Likelihood of Exploit-Medium
Mapping-Allowed
Abstraction-Variant
Found in7CVEs

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Impacts-
Modify Application Data
Tags-
Medium exploitWeb Based (technology class)Modify Application Data (impact)
As Seen In-
Not Available
CWE-306
Missing Authentication for Critical Function
ShareView Details
Missing Authentication for Critical Function
Likelihood of Exploit-High
Mapping-Allowed
Abstraction-Base
Found in1621CVEs

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Impacts-
Varies by ContextGain Privileges or Assume Identity
Tags-
High exploitLibraries or FrameworksCloud Computing (technology class)ICS/OT (technology class)Varies by Context (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
2021 CWE Top 25 Most Dangerous Software2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareCWE Cross-section
CWE-352
Cross-Site Request Forgery (CSRF)
ShareView Details
Cross-Site Request Forgery (CSRF)
Likelihood of Exploit-Medium
Mapping-Allowed
Abstraction-Compound
Found in8131CVEs

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Impacts-
Read Application DataDoS: Crash, Exit, or RestartGain Privileges or Assume IdentityBypass Protection MechanismModify Application Data
Tags-
Web ServerMedium exploitLibraries or FrameworksBypass Protection Mechanism (impact)Modify Application Data (impact)DoS: Crash, Exit, or Restart (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous Software2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareOriginally Used by NVD from 2008 to 2016CWE Cross-section
CWE-664
Improper Control of a Resource Through its Lifetime
ShareView Details
Improper Control of a Resource Through its Lifetime
Likelihood of Exploit-Not Available
Mapping-Discouraged
Abstraction-Pillar
Found in38CVEs

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Impacts-
Other
Tags-
Other (impact)
As Seen In-
Research Concepts
CWE-732
Incorrect Permission Assignment for Critical Resource
ShareView Details
Incorrect Permission Assignment for Critical Resource
Likelihood of Exploit-High
Mapping-Allowed-with-Review
Abstraction-Class
Found in1476CVEs

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Impacts-
Read Application DataOtherGain Privileges or Assume IdentityRead Files or DirectoriesModify Application Data
Tags-
High exploitEnvironment HardeningSandbox or JailCloud Computing (technology class)Other (impact)Modify Application Data (impact)Read Files or Directories (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous SoftwareCISQ Data Protection Measures2020 CWE Top 25 Most Dangerous SoftwareSimplified Mapping of Published VulnerabilitiesCWE Cross-section