Vulnerability CVE-2016-7034
Published: 2016-09-07

Description:
The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

Type:

CWE-352

 (Cross-Site Request Forgery (CSRF))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Redhat -> Jboss bpm suite 

 References:
http://rhn.redhat.com/errata/RHSA-2017-0557.html
http://www.securityfocus.com/bid/92760
https://access.redhat.com/errata/RHSA-2018:0296
https://bugzilla.redhat.com/show_bug.cgi?id=1373347
Copyright 2024, cxsecurity.com

 

Back to Top