SB2019112633 - Multiple vulnerabilities in JBoss Application Server
Published: November 26, 2019 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2011-3609)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.
2) Cross-site scripting (CVE-ID: CVE-2011-3606)
The vulnerability allows a remote authenticated user to read and manipulate data.
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://access.redhat.com/security/cve/cve-2011-3609
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609
- https://security-tracker.debian.org/tracker/CVE-2011-3609
- https://www.securityfocus.com/bid/50888
- https://access.redhat.com/security/cve/cve-2011-3606
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
- https://security-tracker.debian.org/tracker/CVE-2011-3606