{"api_version":"1","generated_at":"2026-04-23T00:58:33+00:00","cve":"CVE-2016-7034","urls":{"html":"https://cve.report/CVE-2016-7034","api":"https://cve.report/api/cve/CVE-2016-7034.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-7034","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-7034"},"summary":{"title":"CVE-2016-7034","description":"The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2016-09-07 18:59:00","updated_at":"2018-02-15 02:29:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2017-0557.html","name":"RHSA-2017:0557","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1373347","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1373347","refsource":"CONFIRM","tags":["Issue Tracking"],"title":"Bug 1373347 – CVE-2016-7034 JBoss bpms: insecure handling CSRF token in dashbuilder","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/92760","name":"92760","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Red Hat JBoss BPMS CVE-2016-7034 Cross Site Request Forgery Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2018:0296","name":"RHSA-2018:0296","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-7034","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7034","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"7034","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_bpm_suite","cpe6":"6.3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"7034","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_bpm_suite","cpe6":"6.3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2016-7034","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://rhn.redhat.com/errata/RHSA-2017-0557.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2017-0557.html"},{"url":"https://access.redhat.com/errata/RHSA-2018:0296","refsource":"MISC","name":"https://access.redhat.com/errata/RHSA-2018:0296"},{"url":"http://www.securityfocus.com/bid/92760","refsource":"MISC","name":"http://www.securityfocus.com/bid/92760"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1373347","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1373347"}]}},"nvd":{"publishedDate":"2016-09-07 18:59:00","lastModifiedDate":"2018-02-15 02:29:00","problem_types":["CWE-352"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_bpm_suite:6.3.2:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"7034","Ordinal":"93340","Title":"CVE-2016-7034","CVE":"CVE-2016-7034","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"7034","Ordinal":"1","NoteData":"The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"7034","Ordinal":"2","NoteData":"2016-09-07","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"7034","Ordinal":"3","NoteData":"2018-02-14","Type":"Other","Title":"Modified"}]}}}