CVE-2019-3873

Name of the Vulnerable Software and Affected Versions JBoss Enterprise Application Platform version 7.2

Description The issue exists due to inadequate protection of the web page structure in the Picketlink component. This could allow a remote attacker to perform cross-site scripting attacks. An attacker could exploit this by sending a URL with an xinclude parameter in the SAML response XML to achieve cross-site scripting or conduct further attacks.

Recommendations For JBoss Enterprise Application Platform version 7.2, consider restricting access to the xinclude parameter in SAML response XML to minimize the risk of exploitation. As a temporary workaround, avoid using the xinclude parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.