CVE-2018-8547 : A cross-site-scripting (XSS) vulnerability exists when an open source customizat

A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Active Directory Federation Services XSS Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.

Published 2018-11-14 01:29:01

Updated 2018-12-14 19:10:21

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2018-8547

Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Rt 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1607
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1709
cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1803
cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1809
cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: 1709
cpe:2.3:o:microsoft:windows_server_2016:1709:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: 1803
cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2019 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-8547

EPSS FAQ

0.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-8547

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2018-8547

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-8547

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8547

CVE-2018-8547 - Security Update Guide - Microsoft - Active Directory Federation Services XSS Vulnerability
Patch;Vendor Advisory
http://www.securityfocus.com/bid/105801

Microsoft Active Directory Federation Services CVE-2018-8547 Cross-Site Scripting Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-8547

Products affected by CVE-2018-8547

Exploit prediction scoring system (EPSS) score for CVE-2018-8547

CVSS scores for CVE-2018-8547

CWE ids for CVE-2018-8547

References for CVE-2018-8547