Vulnerabilities > Redhat > Jboss BPM Suite

DATE CVE VULNERABILITY TITLE RISK
2017-04-20 CVE-2016-5401 Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss BPM Suite and Jboss Enterprise Brms Platform
Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.
network
low complexity
redhat CWE-352
8.8
2016-10-03 CVE-2016-5398 Cross-site Scripting vulnerability in Redhat Jboss BPM Suite
Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes.
network
low complexity
redhat CWE-79
5.4
2016-09-07 CVE-2016-7034 Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss BPM Suite 6.3.2
The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.
network
low complexity
redhat CWE-352
8.8
2016-09-07 CVE-2016-7033 Cross-site Scripting vulnerability in Redhat Jboss BPM Suite 6.3.2
Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
redhat CWE-79
6.1
2016-09-07 CVE-2016-6344 Information Exposure vulnerability in Redhat Jboss BPM Suite 6.3
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
network
low complexity
redhat CWE-200
5.3
2016-08-05 CVE-2016-4999 SQL Injection vulnerability in Redhat products
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.
network
low complexity
redhat CWE-89
critical
9.8