It was reported that the EAP console is vulnerable to clickjacking attacks because it does not set the X-Frame-Options HTTP header. An attacker could use this flaw to embedded the EAP console in a web page using a frame or iframe, and then trick a user into performing arbitrary actions in the console.
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html