Description
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1072681
https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Related Vulnerabilities
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-record-serialization-services
CVE-2022-24785 Vulnerability in maven package org.webjars.bowergithub.moment:moment
CVE-2016-10707 Vulnerability in maven package org.webjars.npm:jquery
CVE-2023-44270 Vulnerability in npm package postcss
CVE-2021-21120 Vulnerability in maven package org.webjars.npm:electron