'Cross-site Request Forgery' is an attack that forces authenticated users to submit an unwanted request to a Web application against which they are currently authenticated. CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.
Improper Error Handling
Improper Error Handling, also known as Error Handling Flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates. It would be a serious risk when detailed internal error messages such as database dumps, stack traces, and error codes are displayed to the user (attacker). Even if the error message doesn't provide a lot of details, inconsistencies in such messages can still reveal important clues on how a site works or what system/back-end is present. Sometimes it may also lead to sensitive information disclosure.
The severity of improper error handling is scenario dependent, means in some scenarios this error exposes critical information and in other scenarios non-sensitive information thus the severity must be calculated for each scenario.
Reflected Cross Site Scripting (RXSS)
'Reflection' is when a web application returns the data entered by a user via request into the web application response.
Any reflected parameter of an application is suspected to be vulnerable but the most severe parameters are 'GET' parameters where an attacker can simply use the nature of 'GET' parameters where is being sent inside the URL to reflect malicious code into the victim responses.
If the reflection happens via 'POST' parameter or what is sometimes referred to as 'Self Cross-Site Scripting' or 'SXSS' an attacker may not be able to exploit the reflection scenario unless there's no 'CSRF' protection.