PT-2015-1601 · Microsoft · Windows Server 2008+2

Published

2015-06-09

Updated

2018-10-12

CVE-2015-1757

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Active Directory Federation Services (AD FS) versions in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012

Description The issue allows remote attackers to inject arbitrary web script or HTML via the wct parameter. This is due to the failure to take measures to protect the structure of web pages, which can be exploited by a remote attacker to inject arbitrary web or HTML code by manipulating the wct parameter.

Recommendations For Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012, consider restricting access to the wct parameter in the affected API endpoint until a patch is available. As a temporary workaround, avoid using the wct parameter in the adfs/ls module to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2015-10933

CVE-2015-1757

Affected Products

Active Directory Federation Services

Windows Server 2008

Windows Server 2012

PT-2015-1601 · Microsoft · Windows Server 2008+2

CVE-2015-1757

Weakness Enumeration

Related Identifiers

Affected Products

References · 6