Vulnerabilities > Redhat > Jboss BPM Suite > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-10-31 | CVE-2016-6343 | Cross-site Scripting vulnerability in Redhat Jboss BPM Suite JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. | 5.4 |
| 2018-08-01 | CVE-2016-8608 | Cross-site Scripting vulnerability in Redhat products JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. | 5.4 |
| 2018-07-27 | CVE-2017-7463 | Cross-site Scripting vulnerability in Redhat Jboss BPM Suite JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. | 4.3 |
| 2018-07-27 | CVE-2017-2658 | Improper Input Validation vulnerability in Redhat products It was discovered that the Dashbuilder login page as used in Red Hat JBoss BPM Suite before 6.4.2 and Red Hat JBoss Data Virtualization & Services before 6.4.3 could be opened in an IFRAME, which made it possible to intercept and manipulate requests. | 6.5 |
| 2018-07-26 | CVE-2017-7545 | XXE vulnerability in Redhat Decision Manager, Jboss BPM Suite and Jbpm It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. | 4.0 |
| 2017-04-20 | CVE-2016-5401 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss BPM Suite and Jboss Enterprise Brms Platform Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page. | 6.8 |
| 2016-09-07 | CVE-2016-7034 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Jboss BPM Suite 6.3.2 The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. | 6.8 |
| 2016-09-07 | CVE-2016-7033 | Cross-site Scripting vulnerability in Redhat Jboss BPM Suite 6.3.2 Multiple cross-site scripting (XSS) vulnerabilities in the admin pages in dashbuilder in Red Hat JBoss BPM Suite 6.3.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2016-09-07 | CVE-2016-6344 | Information Exposure vulnerability in Redhat Jboss BPM Suite 6.3 Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies. | 5.0 |
| 2014-04-10 | CVE-2013-6468 | Code Injection vulnerability in Redhat products JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. | 6.5 |