CVE-2019-3873

critical

Description

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873

http://www.securityfocus.com/bid/108739

Details

Source: Mitre, NVD

Published: 2019-06-12

Updated: 2019-07-06

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Severity: Critical