CVE-2016-7034
HIGHRed Hat JBoss BPM Suite 6.3.2 - Cross-Site Request Forgery via Query String Token Exposure
Title source: llmDescription
The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0557.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0296
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1373347
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92760
Scores
CVSS v3
8.8
EPSS
0.0113
EPSS Percentile
62.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
redhat/jboss_bpm_suite
6.3.2
Published
Sep 07, 2016
Tracked Since
Feb 18, 2026