MidnightBSD

Advisories for identityserver

CVE-2017-12677 MEDIUM

IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
identityserver identityserver3 2.5.0
identityserver identityserver3 2.5.1
identityserver identityserver3 2.5.3
identityserver identityserver3 2.4.0
identityserver identityserver3 2.5.2
identityserver identityserver3 2.6.0
CVE-2018-8899 MEDIUM

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
identityserver identityserver4 *
CVE-2019-12250 MEDIUM

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not part of IdentityServer but only our development test host

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
identityserver identityserver4 *