Main Vulnerability Database SB2018111316

SB2018111316 - Stored XSS in Active Directory Federation Services

Published: November 13, 2018

Security Bulletin ID SB2018111316

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Stored Cross-site scripting (CVE-ID: CVE-2018-8547)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Microsoft Active Directory Federation Services (AD FS). A remote authenticated attacker can send a specially crafted request to the affected AD FS server, store XSS payload on it and execute it in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change permissions and delete content.

Remediation

Install update from vendor's website.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8547