CVE-2018-1190

Published: Jan 4, 2018Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.

Affected (3)

Products: Cloudfoundry: Cf Release · Pivotal: Uaa, Uaa Bosh

1 product

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cf Release	Up to 269
Pivotal Uaa	From 3.0.0 to 3.20.1
Pivotal Uaa Bosh	Up to 44

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://www.securityfocus.com/bid/102427

Source: security_alert@emc.com

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/cve-2018-1190/

Source: security_alert@emc.com

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/102427

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.cloudfoundry.org/cve-2018-1190/

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.