CVE-2016-7034 — Cross-Site Request Forgery in Redhat Jboss BPM Suite

CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 73.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss BPM Suite

Timeline

PublishedSep 7

Latest updateMay 14

Description

The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/jboss_bpm_suite6.3.2

🔴Vulnerability Details

GHSA

GHSA-29p9-chjc-5c6w: The dashbuilder in Red Hat JBoss BPM Suite 6↗2022-05-14

▶

CVEList

CVE-2016-7034: The dashbuilder in Red Hat JBoss BPM Suite 6↗2016-09-07

▶

📋Vendor Advisories

Red Hat

Dashbuilder: insecure handling of CSRF token↗2016-09-06

▶

💬Community

Bugzilla

CVE-2016-7034 Dashbuilder: insecure handling of CSRF token↗2016-09-06

▶