CVE-2018-8899 Information

Feb 14, 2021 cve

Description

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page which might lead to XSS in some configurations.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469a13bc5a15d2cc0f895 https://github.com/IdentityServer/IdentityServer4/issues/2164 https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3 https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: