CVE-2019-1273 — Cross-site Scripting in Microsoft Windows

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.6%

top 30.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows Microsoft Windows 10 Version 1903 FOR 32-bit Systems Microsoft Windows 10 Version 1903 FOR Arm64-based Systems +16 more

Timeline

PublishedSep 11

Latest updateMay 24

Description

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages19 packages

▶CVEListV5microsoft/windows6 versions+5

▶NVDmicrosoft/windows1803, 1903+1

▶NVDmicrosoft/windows_101803, 1809, 1903+2

▶CVEListV5microsoft/windows_server2019, 2019 (Core installation), version 1803 (Core Installation)+2

▶msrcmsrc/windows_server_2019

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-h8p6-mq4p-xf54: A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages,↗2022-05-24

▶

📋Vendor Advisories

Microsoft

Active Directory Federation Services XSS Vulnerability↗2019-09-10

▶