Systemic Cross-Site Request Forgery (CSRF) 

Issue date: 01-11-2019
Affects versions: 13.3, 13.2, 12.6, 11.2

Issue ID: SECURITY-122


Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, (and previous patch releases)




An attacker may forge a cross-site request to alter state of the CMS, such as creating a new user. In order for such an attack to be successful, the request must be sent from a browser which has a valid CMS session (because a user is logged into the CMS), the request must guess a number of request URL parameters correctly, the logged in user must happen to have exactly the right panel in the CMS open, and the logged-in user must have permission to execute the requested action (admin privileges in the case of creating a user).

The Bloomreach Experience Manager code has been improved such that above-mentioned requests are required to contain either the Origin or the Referer HTTP header, and that the value of that header matches the target origin, as described in the corresponding OWASP recommendation. If neither of these headers is present and matching, the request is rejected. Before this fix, the Origin header would already be checked, but since Firefox, Edge and IE by default don't send the Origin header on POST and CORS requests, we now fallback to the Referer header as recommended by OWASP. If the Referer header is also missing, the request is blocked.


Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.