CVE-2016-7034

Published: Sep 7, 2016Modified: May 6, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

Affected (1)

Products: Redhat: Jboss Bpm Suite

1 product

Jboss Bpm Suite

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Bpm Suite	Version 6.3.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (8)

http://rhn.redhat.com/errata/RHSA-2017-0557.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/92760

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:0296

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1373347

Source: secalert@redhat.com

Issue Tracking

http://rhn.redhat.com/errata/RHSA-2017-0557.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/92760

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:0296

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1373347

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

Timeline

No history available yet.