pcs CVE-2016-0720 Cross Site Request Forgery Vulnerability

pcs is prone to a cross-site request-forgery vulnerability because it fails to properly validate requests.

Exploiting this issue allows a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

Versions prior to pcs 0.9.149 are vulnerable.

Information

Bugtraq ID: 97984
Class: Design Error
CVE: CVE-2016-0720

Remote: Yes
Local: No
Published: Apr 21 2017 12:00AM
Updated: Apr 25 2017 11:08AM
Credit: Martin Prpic
Vulnerable: Redhat Enterprise Linux Resilient Storage 7
Redhat Enterprise Linux High Availability 7
Fedora Pacemaker Configuration System 0.9.137
Fedora Pacemaker Configuration System 0.9.140

Not Vulnerable: Fedora Pacemaker Configuration System 0.9.149

Exploit

An attacker can exploit this issue using a web browser.

References:

Bug 1299614 - (CVE-2016-0720) CVE-2016-0720 pcs: Cross-Site Request Forgery in w (Red Hat)
fix CSRF vulnerability (github)
Security Advisory Moderate: pcs security, bug fix, and enhancement update (Red Hat)

Source: www.securityfocus.com

Exploit Collector

Search Exploit