Cross-Site Request Forgery Vulnerability in WSO2 Identity Server
CVE-2016-4311

8.8HIGH

Key Information:

Vendor

Wso2

Status
Identity Server
Vendor
CVE Published:
17 February 2017

What is CVE-2016-4311?

The vulnerability allows remote attackers to exploit the XACML flow feature in WSO2 Identity Server version 5.1.0, enabling them to hijack the authentication of privileged users. This occurs through crafted requests that process XACML actions, specifically targeting the entitlement/eval-policy-submit.jsp endpoint. If successful, attackers may perform unauthorized actions on behalf of the victim user, potentially compromising sensitive data and access controls.

References

https://www.exploit-db.com/exploits/40239/
exploitx_refsource_EXPLOIT-DB
http://www.securityfocus.com/archive/1/539199/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://www.securityfocus.com/bid/92485
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.