CVE-2018-8547

EUVD-2018-20168

14.11.2018, 01:29

A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Active Directory Federation Services XSS Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 73%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_8.1	-
microsoft	windows_rt_8.1	-
microsoft	windows_server_2016	-
microsoft	windows_server_2019	-

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

1607 (x64, x86)	KB4467691
1709 (x64, x86)	KB4467686
1803 (arm64, x64, x86)	KB4467702
1809 (arm64, x64, x86)	KB4467708

Windows 8.1

(x64, x86)

KB4467703

Windows RT 8.1

All

KB4467697

Windows Server

1709 Server Core	KB4467686
1803 Server Core	KB4467702

Windows Server 2012 R2

Server Core	KB4467703
Standard	KB4467703

Windows Server 2016

Server Core	KB4467691
Standard	KB4467691

Windows Server 2019

Server Core	KB4467708
Standard	KB4467708

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://www.securityfocus.com/bid/105801

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8547

http://www.securityfocus.com/bid/105801

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8547