CVE-2016-7034

high

Description

The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1373347

https://access.redhat.com/errata/RHSA-2018:0296

http://www.securityfocus.com/bid/92760

http://rhn.redhat.com/errata/RHSA-2017-0557.html

Details

Source: Mitre, NVD

Published: 2016-09-07

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00045