org.cloudfoundry.identity:cloudfoundry-identity-api (>=3.0.0 <=3.20.0), org.cloudfoundry.identity:cloudfoundry-identity-app (>=3.0.0 <=3.20.0) +1 more potentially affected by CVE-2016-6637 via org.cloudfoundry.identity:cloudfoundry-identity-server (>=3.0.0 <=3.3.0.4)

org.cloudfoundry.identity:cloudfoundry-identity-server MAVEN version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.20.0 Source cves: CVE-2016-6637 Source advisory: OSV:GHSA-4M8C-H7FR-GQ5C...

com.alexbt:springboot-autoconfigure-openid-oauth (=1.0.9), com.appdirect:service-integration-sdk (>=1.24 <=v11.129.7) +10 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth (>=2.0.10.RELEASE <=2.0.14.RELEASE)

org.springframework.security.oauth:spring-security-oauth MAVEN version =2.0.10.RELEASE, =1.24, =2.7.4.7, =2.7.4.7, =2.7.4.7, =3.3.0.4, =3.3.0.4, =2.7.4.7, =4.4.0 Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...

br.com.damsete.arq:damsete-arq (>=0.0.1 <=0.0.3), br.com.damsete.arq:damsete-arq-audit (>=0.0.1 <=0.0.3) +14 more potentially affected by CVE-2018-1260 via org.springframework.security.oauth:spring-security-oauth2 (>=2.3.0.RELEASE <=2.3.2.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.3.0.RELEASE, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =2.0.1, =4.0.0, =0.1.0, =4.26.0, =4.26.0, =3.3.0.6, =4.30.0 and more Source cves: CVE-2018-1260 Source advisory: OSV:GHSA-RRPM-PJ7P-7J9Q...

Cross-site Scripting (XSS)

cloudfoundry-identity-uaa is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute arbitrary Javascript through the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint...