2 matches found
CVE-2018-8038
CVE-2018-8038 affects Apache CXF Fediz prior to 1.4.4, where Document Type Declarations (DTDs) are not fully disabled when parsing Identity Provider responses (in application plugins) or in the IdP for certain XML parameters. Connected sources reinforce that the underlying issue is DTD handling a...
CVE-2017-12631
CVE-2017-12631 affects Apache CXF Fediz WS-Federation plugins (Spring 2, 3, 4). The root cause is a CSRF vulnerability that can cause a security context to be established using a malicious client’s roles for the end user. Affected components are the Fediz Spring plugins in versions before 1.4.3 a...