CVE-2015-5188
CVSS V2 Medium 6.8
CVSS V3 None
Description
Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission.
Overview
- CVE ID
- CVE-2015-5188
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2015-10-27T16:59:03
- Last Modified Date
- 2023-02-12T23:15:34
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:* | 1 | OR | 6.4.3 | |
| cpe:2.3:a:redhat:jboss_wildfly_application_server:*:cr8:*:*:*:*:*:* | 1 | OR | 2.0.0 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:N/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 6.8
- Severity
- MEDIUM
- Exploitability Score
- 8.6
- Impact Score
- 6.4
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2015-5188 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5188 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 10:19:35 | Added to TrackCVE | |||
| 2022-12-02 07:01:01 | 2015-10-27T16:59Z | 2015-10-27T16:59:03 | CVE Published Date | updated |
| 2022-12-02 07:01:01 | 2015-10-28T18:54:14 | CVE Modified Date | updated | |
| 2022-12-02 07:01:01 | Analyzed | Vulnerability Status | updated | |
| 2023-02-02 21:05:08 | 2023-02-02T20:20:32 | CVE Modified Date | updated | |
| 2023-02-02 21:05:08 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-02 21:05:09 | Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission. | It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. | Description | updated |
| 2023-02-02 21:05:15 | References | updated | ||
| 2023-02-13 01:06:13 | 2023-02-12T23:15:34 | CVE Modified Date | updated | |
| 2023-02-13 01:06:13 | It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. | Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission. | Description | updated |