CVE-2018-8326 - Vulnerability Details - OpenCVE

A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active Directory Federation Services XSS Vulnerability." This affects Web Customizations.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00432.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Web Customizations

Configuration 1 [-]

cpe:2.3:a:microsoft:web_customizations:*:*:*:*:*:active_directory_federation_services:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/104656
http://www.securitytracker.com/id/1041266
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2018-07-11T00:00:00

Updated: 2024-08-05T06:54:35.265Z

Reserved: 2018-03-14T00:00:00

Link: CVE-2018-8326

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-07-11T00:29:02.507

Modified: 2024-11-21T04:13:37.400

Link: CVE-2018-8326

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Web Customizations", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "Active Directory Federation Services"}]}], "datePublic": "2018-07-10T00:00:00", "descriptions": [{"lang": "en", "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."}], "problemTypes": [{"descriptions": [{"description": "Spoofing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-11T09:57:01", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"}, {"name": "1041266", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041266"}, {"name": "104656", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104656"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2018-8326", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Web Customizations", "version": {"version_data": [{"version_value": "Active Directory Federation Services"}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Spoofing"}]}]}, "references": {"reference_data": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326", "refsource": "CONFIRM", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"}, {"name": "1041266", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041266"}, {"name": "104656", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104656"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:54:35.265Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"}, {"name": "1041266", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041266"}, {"name": "104656", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104656"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2018-8326", "datePublished": "2018-07-11T00:00:00", "dateReserved": "2018-03-14T00:00:00", "dateUpdated": "2024-08-05T06:54:35.265Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:web_customizations:*:*:*:*:*:active_directory_federation_services:*:*", "matchCriteriaId": "489B2EBE-EC35-4958-9268-882302AB5DBB", "versionEndExcluding": "0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) cuando una personalizci\u00f3n de origen abierta para Microsoft Active Directory Federation Services (AD FS) no sanea correctamente una petici\u00f3n web especialmente manipulada a un servidor AD FS. Esto tambi\u00e9n se conoce como \"Open Source Customization for Active Directory Federation Services XSS Vulnerability\". Esto afecta a Web Customizations."}], "id": "CVE-2018-8326", "lastModified": "2024-11-21T04:13:37.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-11T00:29:02.507", "references": [{"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104656"}, {"source": "secure@microsoft.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041266"}, {"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104656"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041266"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}