Vulnerability Name: | CVE-2016-7034 (CCN-116685) | ||||||||||||
Assigned: | 2016-09-07 | ||||||||||||
Published: | 2016-09-07 | ||||||||||||
Updated: | 2018-02-15 | ||||||||||||
Summary: | The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. | ||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 8.4 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-352 | ||||||||||||
Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2016-7034 Source: CCN Type: RHSA-2017-0557 Moderate: Red Hat JBoss BPM Suite security update Source: REDHAT Type: UNKNOWN RHSA-2017:0557 Source: BID Type: Third Party Advisory, VDB Entry 92760 Source: CCN Type: BID-92760 Red Hat JBoss BPMS CVE-2016-7034 Cross Site Request Forgery Vulnerability Source: REDHAT Type: UNKNOWN RHSA-2018:0296 Source: CCN Type: Red Hat Bugzilla Bug 1373347 (CVE-2016-7034) CVE-2016-7034 JBoss bpms: insecure handling CSRF token in dashbuilder Source: CONFIRM Type: Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1373347 Source: XF Type: UNKNOWN redhat-jboss-cve20167034-csrf(116685) Source: CCN Type: Red Hat Web site Red Hat JBoss BPM Suite | ||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
Vulnerability Name: | CVE-2016-7034 (CCN-124601) | ||||||||||||
Assigned: | 2016-08-23 | ||||||||||||
Published: | 2017-03-16 | ||||||||||||
Updated: | 2017-03-16 | ||||||||||||
Summary: | Red Hat JBoss BPM is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dashbuilder. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | ||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 8.4 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2016-7034 Source: CCN Type: BID-92760 Red Hat JBoss BPMS CVE-2016-7034 Cross Site Request Forgery Vulnerability Source: CCN Type: Red Hat Bugzilla Bug 1371801 (CVE-2016-6343) CVE-2016-6343 JBoss bpms 6.3.x reflected XSS in dashbuilder Source: XF Type: UNKNOWN redhat-jboss-cve20166343-xss(124601) | ||||||||||||
Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |