Bug 1357731 (CVE-2016-5401)

Summary: CVE-2016-5401 JBoss BPMS: CSRF in business-central
Product: [Other] Security Response Reporter: Jeremy Choi <jechoi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, apmukher, etirelli, jcoleman, kverlaen, mbaluch, mwinkler, nwallace, rrajasek, rzhang, security-response-team, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:54:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1357374    

Description Jeremy Choi 2016-07-19 01:39:12 UTC 
There is no CSRF token implemented in business-central so the CSRF attack is possible. Attackers are able to cause unwanted modificiation of the target's instance by leading the users who are trusted to a specially-crafted web page.
Comment 1 Jeremy Choi 2016-07-19 01:39:22 UTC 
Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security Team)