CVE-2015-5178

CWE-254 CWE-20 — Improper Input Validation5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.5%

top 33.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat Jboss Wildfly Application Server

Timeline

PublishedOct 27

Latest updateMay 17

Description

The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDredhat/jboss_wildfly_application_server2.0.0

▶NVDredhat/jboss_enterprise_application_platform6.4.3

🔴Vulnerability Details

GHSA

GHSA-9x2p-wcwc-h875: The Management Console in Red Hat Enterprise Application Platform before 6↗2022-05-17

▶

CVEList

CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6↗2015-10-27

▶

📋Vendor Advisories

Red Hat

AS/WildFly: missing X-Frame-Options header leading to clickjacking↗2015-10-15

▶

💬Community

Bugzilla

CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking↗2015-08-05

▶