Vulnerability Description
IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.
CVSS Score
6.1
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Identityserver | Identityserver4 | >= 1.0.0, <= 1.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469aPatchThird Party Advisory
- https://github.com/IdentityServer/IdentityServer4/issues/2164Issue TrackingThird Party Advisory
- https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3Third Party Advisory
- https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3Third Party Advisory
- https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469aPatchThird Party Advisory
- https://github.com/IdentityServer/IdentityServer4/issues/2164Issue TrackingThird Party Advisory
- https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3Third Party Advisory
- https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3Third Party Advisory
FAQ
What is CVE-2018-8899?
CVE-2018-8899 is a vulnerability with a CVSS score of 6.1 (MEDIUM). IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.
How severe is CVE-2018-8899?
CVE-2018-8899 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8899?
Check the references section above for vendor advisories and patch information. Affected products include: Identityserver Identityserver4.