CVE-2011-1911 Information

Description

JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach.

Reference

http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html http://www.csirtcv.gva.es/sites/all/files/images/content/5BCSIRT-cv5D20JasperServer203.7.020CE20CSRF20Advisory.pdf http://www.kb.cert.org/vuls/id/519588 http://www.kb.cert.org/vuls/id/MAPG-8ELLJC http://www.securityfocus.com/bid/49649 https://exchange.xforce.ibmcloud.com/vulnerabilities/69849