Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Forms in Django templates that handle data-changing requests (such as POST, PUT, DELETE, or PATCH) are missing a CSRF token. Without this token, the form is not protected against cross-site request forgery attacks.
Impact#
If exploited, attackers could trick users into submitting unauthorized requests, potentially leading to unintended actions like changing user data, performing transactions, or compromising user accounts. This can result in data loss, unauthorized changes, or security breaches affecting both users and the organization.