In a recent security audit by a third-party Security consultancy highlighted that the web application (Clarity) did not offer any protection against Cross-site Request Forgery attacks. This was confirmed due to the fact that no unique token was supplied in every request. The replaying of a request i.e. editing a user account is repeatable numerous times without any requirement for a unique token bound to "sessionid."
All Support Clarity Release
Lack of token based validation in application and this configuration is available since Clarity 13.x
The prevention of CSRF attacks is handled through the use of Session Tokens. In order to configure the CSRF Protection and mitigate the vulnerability please follow the below steps using the below possible combinations
Clarity has configurable set of CSRF strategies since Clarity 13.2. The allowed configurations are:
Configuration is done by manually setting an attribute of the applicationServer element in the properties.xml file:
Use this sample as an example of where to edit the setting:
<applicationServer vendor="tomcat" useLdap="false" home="/opt/tomcat" adminPassword="xxxx" externalUrl="" tokenCacheCapacity="0" tokenCacheStrategy="session" disableApiAccess="false" notifyThreadPool="20">