The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.
References
Link | Resource |
---|---|
http://rhn.redhat.com/errata/RHSA-2017-0557.html | |
http://www.securityfocus.com/bid/92760 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:0296 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1373347 | Issue Tracking |
Configurations
History
No history.
Information
Published : 2016-09-07 18:59
Updated : 2024-02-28 15:21
NVD link : CVE-2016-7034
Mitre link : CVE-2016-7034
CVE.ORG link : CVE-2016-7034
JSON object : View
Products Affected
redhat
- jboss_bpm_suite
CWE
CWE-352
Cross-Site Request Forgery (CSRF)