Home > Vulnerability Database > CVE-2018-8899

Mend.io Vulnerability Database

CVE-2018-8899

Good to know:

Date: March 22, 2018

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.

Language: C#

Severity Score

6.1

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-8899

Url: https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469a13bc5a15d2cc0f895

Url: https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3

Url: https://github.com/IdentityServer/IdentityServer4/issues/2164

Url: https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3

Url: https://www.mend.io/vulnerability-database/CVE-2018-8899

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version 1.5.3,2.1.3

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-8899

Good to know:

Date: March 22, 2018

Language: C#

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?