Jboss EAP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-3873
Reference:
CVE-2019-3873
Title:
Jboss EAP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.