Description
JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach.
References (6)
Core 6
Core References
Various Sources x_refsource_misc
http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf
Various Sources x_refsource_misc
http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/69849
US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/519588
US Government Resource x_refsource_confirm
http://www.kb.cert.org/vuls/id/MAPG-8ELLJC
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/49649
Scores
EPSS
0.0149
EPSS Percentile
71.1%
Details
CWE
CWE-352
Status
published
Products (2)
jasperforge/jasperreports_server_community_project
3.7.0
jasperforge/jasperreports_server_community_project
3.7.1
Published
Sep 20, 2011
Tracked Since
Feb 18, 2026