Cross-site request forgery in hawtio - CVE-2017-7556
Published: August 17, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38461
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-7556
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: hawtio
Affected software:
hawtio
hawtio
Detailed vulnerability description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as be submitted to hawtio server on behalf of the user.
How to mitigate CVE-2017-7556
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.