CVE-2016-7034

HIGH

Red Hat JBoss BPM Suite 6.3.2 - Cross-Site Request Forgery via Query String Token Exposure

Title source: llm
STIX 2.1

Description

The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0557.html
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0296
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1373347
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92760

Scores

CVSS v3 8.8
EPSS 0.0113
EPSS Percentile 62.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
redhat/jboss_bpm_suite 6.3.2
Published Sep 07, 2016
Tracked Since Feb 18, 2026