CVE-2016-2884 : Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder

Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Published 2016-11-30 20:59:01

Updated 2016-12-01 18:06:05

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)

Products affected by CVE-2016-2884

IBM » Forms Experience Builder » Version: 8.6.0.0
cpe:2.3:a:ibm:forms_experience_builder:8.6.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.6.1
cpe:2.3:a:ibm:forms_experience_builder:8.6.1:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.5.1.0
cpe:2.3:a:ibm:forms_experience_builder:8.5.1.0:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.5.1.1
cpe:2.3:a:ibm:forms_experience_builder:8.5.1.1:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.6.1.1
cpe:2.3:a:ibm:forms_experience_builder:8.6.1.1:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.6.2
cpe:2.3:a:ibm:forms_experience_builder:8.6.2:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.6.2.1
cpe:2.3:a:ibm:forms_experience_builder:8.6.2.1:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.5.0.0
cpe:2.3:a:ibm:forms_experience_builder:8.5.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Forms Experience Builder » Version: 8.6.3
cpe:2.3:a:ibm:forms_experience_builder:8.6.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2884

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2884

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.0	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	2.1	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-2884

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2884

http://www-01.ibm.com/support/docview.wss?uid=swg21987252

IBM Security Bulletin: IBM Forms Experience Builder vulnerable to CSRF when configured with non default settings (CVE-2016-2884)
Patch;Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1LO89686

IBM notice: The page you requested cannot be displayed
Not Applicable

Jump to

Vulnerability Details : CVE-2016-2884

Products affected by CVE-2016-2884

Exploit prediction scoring system (EPSS) score for CVE-2016-2884

CVSS scores for CVE-2016-2884

CWE ids for CVE-2016-2884

References for CVE-2016-2884