The Pattern Insight web interface contains multiple vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-4935: Pattern Insight: CSRF protections do not exist
When an already authorized victim navigates to a malicious site containing a hidden form request, it is possible for the malicious site to make authenticated requests to Pattern Insight on behalf of the victim.
An attacker with access to the Pattern Insight web interface can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. Also, with the ability to frame the application, an attacker can perform clickjacking attacks.
We are currently unaware of a practical solution to this problem.
Thanks to the reporter who wishes to remain anonymous.
This document was written by Michael Orlando.