SYM_JAVA_0144 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cross-Site Request Forgery (CSRF)
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
A controller method is annotated with @RequestMapping without specifying the HTTP method, which means it accepts all types of HTTP requests by default. This can unintentionally expose state-changing actions to unsafe methods like GET, making the endpoint vulnerable to CSRF attacks.
Impact
If exploited, an attacker could trick users into performing unwanted actions on your application (such as changing data or user settings) by sending forged requests. This can lead to unauthorized data changes, account compromise, or other security breaches, especially if sensitive operations are accessible via unsafe HTTP methods.