Description

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

Remediation

References

CVE-2019-3873

Related Vulnerabilities

MySQL CVE-2017-3647 Vulnerability (CVE-2017-3647)

WordPress Plugin Simple Share Buttons Adder Cross-Site Scripting (5.6)

Grafana Improper Preservation of Permissions Vulnerability (CVE-2022-36062)

WordPress Plugin Charitable-Donation Cross-Site Scripting (1.6.50)

Liferay Portal Inefficient Regular Expression Complexity Vulnerability (CVE-2023-33950)

Severity

Critical

Classification

CVE-2019-3873 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities