CVE-2019-12250

Name of the Vulnerable Software and Affected Versions IdentityServer versions 4 through 2.4

Description The issue is related to stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method. This can be triggered by viewing a log. It's worth noting that the software maintainer disputes this as a vulnerability, stating the request logger is not part of IdentityServer but only part of their development test host.

Recommendations For versions 4 through 2.4, as a temporary workaround, consider disabling the LogForErrorContext method in the RequestLoggerMiddleware.cs until a resolution is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.