Red Hat Picketlink vulnerabilities

CVE-2019-3873 [CRITICAL] CWE-79 CVE-2019-3873: It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

CVE-2019-3872 [MEDIUM] CWE-79 CVE-2019-3872: It was found that a SAMLRequest containing a script could be processed by Picketlink versions shippe It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.