CVE-2019-3873 — Cross-site Scripting in RED HAT Picketlink

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

9.0CRITICALNVD

CNA6.4

EPSS

0.4%

top 39.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Picketlink Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedJun 12

Latest updateMay 24

Description

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_application_platform7.2.0

▶CVEListV5red_hat/picketlinkas shipped with Jboss Enterprise Application Server 7.2

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

GHSA

GHSA-59jq-66fv-jgww: It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7↗2022-05-24

▶

CVEList

CVE-2019-3873: It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7↗2019-06-12

▶

📋Vendor Advisories

Red Hat

picketlink: URL injection via xinclude parameter↗2019-06-10

▶

💬Community

Bugzilla

CVE-2019-3873 picketlink: URL injection via xinclude parameter↗2019-03-14

▶