CVE-2014-0120
HIGHHawt.io < 1.2.2 - Cross-Site Request Forgery via Admin Terminal
Title source: llmDescription
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1072681
Scores
CVSS v3
8.8
EPSS
0.0116
EPSS Percentile
63.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (2)
hawt/hawtio
< 1.2.2
redhat/jboss_fuse
6.1.0 beta
Published
Dec 29, 2017
Tracked Since
Feb 18, 2026