CVE-2016-2884

moderate-risk
Published 2016-11-30

Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10 High
NETWORK / LOW complexity

Affected Products (9)

Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder
Forms Experience Builder

Affected Vendors

Ibm

References (4)

Not Applicable http://www-01.ibm.com/support/docview.wss?uid=swg1LO89686
Patch http://www-01.ibm.com/support/docview.wss?uid=swg21987252
Not Applicable http://www-01.ibm.com/support/docview.wss?uid=swg1LO89686
Patch http://www-01.ibm.com/support/docview.wss?uid=swg21987252
43
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 0/34 · Minimal
Exposure 15/34 · Moderate