2 matches found
CVE-2019-12250
CVE-2019-12250 affects IdentityServer4 up to version 2.4. The issue is a stored XSS via the httpContext in host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext, triggerable by viewing a log. Some sources (IdentityServer maintainers) dispute this as a vulnerability since the logger is not...
CVE-2018-8899
CVE-2018-8899 affects IdentityServer4: versions 1.x before 1.5.3 and 2.x before 2.1.3 do not encode the redirect URI on the authorization response page, which may allow a cross-site scripting (XSS) payload in certain configurations. The root cause is lack of encoding on the redirect URI in the au...