CVE-2018-8899
MEDIUMIdentityServer4 1.0.0-1.5.2 and 2.x < 2.1.3 - Cross-Site Scripting via Redirect URI
Title source: llmDescription
IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469a13bc5a15d2cc0f895
Third Party Advisory x_refsource_misc
https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/IdentityServer/IdentityServer4/issues/2164
Third Party Advisory x_refsource_misc
https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3
Scores
CVSS v3
6.1
EPSS
0.0126
EPSS Percentile
65.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
identityserver/identityserver4
1.0.0 - 1.5.2
Published
Mar 22, 2018
Tracked Since
Feb 18, 2026