CVE-2015-1757

Name of the Vulnerable Software and Affected Versions Active Directory Federation Services (AD FS) versions in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012

Description The issue allows remote attackers to inject arbitrary web script or HTML via the wct parameter. This is due to the failure to take measures to protect the structure of web pages, which can be exploited by a remote attacker to inject arbitrary web or HTML code by manipulating the wct parameter.

Recommendations For Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012, consider restricting access to the wct parameter in the affected API endpoint until a patch is available. As a temporary workaround, avoid using the wct parameter in the adfs/ls module to minimize the risk of exploitation.