CVE-2018-1190
published 2018-01-04CVE-2018-1190: An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
0.83%
53.1th percentile
An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudfoundry | cf-release | <= 269 | — |
| pivotal | uaa | 3.0.0 – 3.20.1 | — |
| pivotal | uaa_bosh | <= 44 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
ghsa·2022-05-13
CVE-2018-1190 [MEDIUM] CWE-79 Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.
OSV
Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
osv·2022-05-13
CVE-2018-1190 [MEDIUM] Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint
An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.
No detection rules found.
2018-01-04
Published