Cross-Site Scripting Vulnerability in JBoss Enterprise Application Platform 7.2
CVE-2019-3873

6.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Picketlink
Vendor: CVE Published:; 12 June 2019

Summary

A vulnerability exists in Picketlink within JBoss Enterprise Application Platform 7.2 that allows an attacker to exploit an xinclude parameter in SAMLresponse XML. By sending a specially crafted URL, the attacker could leverage this vulnerability to execute arbitrary scripts in the context of the user's session, potentially leading to further attacks on the application or sensitive data exposure.

Affected Version(s)

picketlink as shipped with Jboss Enterprise Application Server 7.2

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873

x_refsource_CONFIRM

http://www.securityfocus.com/bid/108739

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 12, 2019
Vulnerability Reserved
Jan 3, 2019