CVE-2015-5178

2015-10-2716:59:01

CWE-254

redhat

web.nvd.nist.gov

cve-2015-5178

management console

red hat

enterprise application platform

clickjacking

x-frame-options

http header

vulnerability

wildfly

jboss application server

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.4

Confidence

Low

EPSS

0.005

Percentile

76.0%

JSON

The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Affected configurations

Nvd

Node

redhatjboss_wildfly_application_serverRange≤2.0.0cr8

Node

redhatjboss_enterprise_application_platformRange≤6.4.3

VendorProductVersionCPE
redhatjboss_wildfly_application_server*cpe:2.3:a:redhat:jboss_wildfly_application_server:*:cr8:*:*:*:*:*:*
redhatjboss_enterprise_application_platform*cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	jboss_wildfly_application_server	*	cpe:2.3:a:redhat:jboss_wildfly_application_server::cr8::::::*
redhat	jboss_enterprise_application_platform	*	cpe:2.3:a:redhat:jboss_enterprise_application_platform::::::::