CVE-2018-8899

MEDIUM

IdentityServer <1.5.3-2.1.3 - XSS

Title source: llm
STIX 2.1

Description

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0029
EPSS Percentile 52.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
identityserver/identityserver4 1.0.0 - 1.5.2
Published Mar 22, 2018
Tracked Since Feb 18, 2026