CVE-2016-2863

moderate-risk
Published 2016-07-03

Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 7.0 Feature Pack 8, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.2 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10 High
NETWORK / LOW complexity

Affected Products (10)

Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce
Websphere Commerce

Affected Vendors

Ibm

References (8)

http://www-01.ibm.com/support/docview.wss?uid=swg1JR55776
Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21983626
http://www.securityfocus.com/bid/91544
http://www.securitytracker.com/id/1036219
http://www-01.ibm.com/support/docview.wss?uid=swg1JR55776
Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21983626
http://www.securityfocus.com/bid/91544
http://www.securitytracker.com/id/1036219
44
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 0/34 · Minimal
Exposure 16/34 · Moderate