Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2019-3873
Good to know:
Date: June 12, 2019
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
Language: Java
Severity Score
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
Upgrade Version
Upgrade to version org.overlord:overlord-commons-idp-jetty8:no_fix;org.overlord:overlord-commons-idp-jetty8:no_fix;org.overlord:overlord-commons-idp-jetty8:no_fix;org.overlord:overlord-commons-idp-jetty8:no_fix;org.overlord:overlord-commons-idp:no_fix;org.overlord:overlord-commons-idp:no_fix;org.overlord:overlord-commons-idp:no_fix;org.picketlink:picketlink-common:2.5.5.SP12;org.picketlink:picketlink-common:2.5.5.SP12;org.picketlink:picketlink-common:2.6.0.Beta2;org.picketlink:picketlink-common:2.5.5.SP12;org.picketlink:picketlink-common:2.5.5.SP12;org.overlord:overlord-commons-idp-tomcat7:no_fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | LOW |
| Availability (A): | LOW |
CVSS v2
| Base Score: |
|
|---|---|
| Access Vector (AV): | NETWORK |
| Access Complexity (AC): | MEDIUM |
| Authentication (AU): | SINGLE |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | PARTIAL |
| Availability (A): | PARTIAL |
| Additional information: |