CVE-2016-2863

HIGH

IBM WebSphere Commerce 7.0 FP8, 8.0.0.x < 8.0.0.10, 8.0.1.x < 8.0.1.2 - CSRF

Title source: llm
STIX 2.1

Description

Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 7.0 Feature Pack 8, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.2 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91544
Various Sources vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1JR55776
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036219
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21983626

Scores

CVSS v3 8.0
EPSS 0.0056
EPSS Percentile 42.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (10)
ibm/websphere_commerce 7.0 feature_pack_8
ibm/websphere_commerce 8.0.0.0
ibm/websphere_commerce 8.0.0.1
ibm/websphere_commerce 8.0.0.2
ibm/websphere_commerce 8.0.0.3
ibm/websphere_commerce 8.0.0.5
ibm/websphere_commerce 8.0.0.6
ibm/websphere_commerce 8.0.0.7
ibm/websphere_commerce 8.0.0.8
ibm/websphere_commerce 8.0.0.9
Published Jul 03, 2016
Tracked Since Feb 18, 2026