CVE-2019-3873 — MEDIUM (6.4)

Vulnerability Description

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

CVSS Score

6.4

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Redhat	Jboss Enterprise Application Platform	7.2.0
Redhat	Enterprise Linux	6.0
Redhat	Single Sign-On	7.0

Related Weaknesses (CWE)

CWE-79

References

http://www.securityfocus.com/bid/108739
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873Issue TrackingVendor Advisory
http://www.securityfocus.com/bid/108739
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873Issue TrackingVendor Advisory

FAQ

What is CVE-2019-3873?

CVE-2019-3873 is a vulnerability with a CVSS score of 6.4 (MEDIUM). It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve ...

How severe is CVE-2019-3873?

CVE-2019-3873 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3873?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Single Sign-On.