Cross-Site Scripting Vulnerability in Pivotal Cloud Foundry's UAA Component
CVE-2018-1190
What is CVE-2018-1190?
An issue has been identified in Pivotal Cloud Foundry products, where a cross-site scripting (XSS) vulnerability exists in the clientId parameter of requests to the UAA OpenID Connect check session iframe endpoint. This vulnerability compromises the integrity of single logout session management, potentially allowing attackers to execute arbitrary scripts in the context of logged-in users. It is essential for users to upgrade their deployments to secure versions to mitigate this risk.
Affected Version(s)
Pivotal Cloud Foundry products: all prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x prior to v30.8 and all other prior to v45.0 Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0
