CVE-2016-7034

The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

Published: Sep 7, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-7034
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
redhat / jboss_bpm_suite	6.3.2	6.3.2.x

http://rhn.redhat.com/errata/RHSA-2017-0557.html
http://www.securityfocus.com/bid/92760
https://access.redhat.com/errata/RHSA-2018:0296
https://bugzilla.redhat.com/show_bug.cgi?id=1373347

Vulnerability Database

289,697

CVE-2016-7034