cvelistv5 - cve-2018-8326

CVE-2018-8326 (GCVE-0-2018-8326)

Vulnerability from cvelistv5

Published

2018-07-11 00:00

Modified

2024-08-05 06:54

Severity ?

CWE

Spoofing

Summary

A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active Directory Federation Services XSS Vulnerability." This affects Web Customizations.

References

URL

Tags

secure@microsoft.com	http://www.securityfocus.com/bid/104656	Third Party Advisory, VDB Entry
secure@microsoft.com	http://www.securitytracker.com/id/1041266	Third Party Advisory, VDB Entry
secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/104656	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1041266	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Microsoft	Web Customizations	Version: Active Directory Federation Services

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:54:35.265Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
          },
          {
            "name": "1041266",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041266"
          },
          {
            "name": "104656",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104656"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Web Customizations",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "Active Directory Federation Services"
            }
          ]
        }
      ],
      "datePublic": "2018-07-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Spoofing",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-11T09:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
        },
        {
          "name": "1041266",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041266"
        },
        {
          "name": "104656",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104656"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2018-8326",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Web Customizations",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Active Directory Federation Services"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Microsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Spoofing"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326",
              "refsource": "CONFIRM",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
            },
            {
              "name": "1041266",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041266"
            },
            {
              "name": "104656",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104656"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2018-8326",
    "datePublished": "2018-07-11T00:00:00",
    "dateReserved": "2018-03-14T00:00:00",
    "dateUpdated": "2024-08-05T06:54:35.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-8326\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2018-07-11T00:29:02.507\",\"lastModified\":\"2024-11-21T04:13:37.400\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \\\"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\\\" This affects Web Customizations.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de Cross-Site Scripting (XSS) cuando una personalizci\u00f3n de origen abierta para Microsoft Active Directory Federation Services (AD FS) no sanea correctamente una petici\u00f3n web especialmente manipulada a un servidor AD FS. Esto tambi\u00e9n se conoce como \\\"Open Source Customization for Active Directory Federation Services XSS Vulnerability\\\". Esto afecta a Web Customizations.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:web_customizations:*:*:*:*:*:active_directory_federation_services:*:*\",\"versionEndExcluding\":\"0.1\",\"matchCriteriaId\":\"489B2EBE-EC35-4958-9268-882302AB5DBB\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/104656\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041266\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/104656\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041266\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

gsd-2018-8326

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2018-8326

Aliases

CVE-2018-8326

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-8326",
    "description": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations.",
    "id": "GSD-2018-8326"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-8326"
      ],
      "details": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations.",
      "id": "GSD-2018-8326",
      "modified": "2023-12-13T01:22:34.665756Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2018-8326",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Web Customizations",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Active Directory Federation Services"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326",
            "refsource": "CONFIRM",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
          },
          {
            "name": "1041266",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1041266"
          },
          {
            "name": "104656",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/104656"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:web_customizations:*:*:*:*:*:active_directory_federation_services:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2018-8326"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
            },
            {
              "name": "1041266",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1041266"
            },
            {
              "name": "104656",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/104656"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2018-09-05T11:59Z",
      "publishedDate": "2018-07-11T00:29Z"
    }
  }
}

cnvd-2018-13183

Vulnerability from cnvd

Title

Microsoft Active Directory Federation Services跨站脚本漏洞

Description

Microsoft Active Directory Federation Services（ADFS）是美国微软（Microsoft）公司推出的一项活动目录联合服务。该服务提供Web单一登入（SSO）技术，可实现在一次会话过程中对多个网站（或应用程序）验证某个使用者。 Microsoft AD FS中存在跨站脚本漏洞，该漏洞源于开源自定义未能正确的过滤发送到受影响AD FS服务器的特制Web请求。远程攻击者可通过发送特制的请求利用该漏洞在当前用户的安全上下文中执行脚本。

Severity

中

Patch Name

Microsoft Active Directory Federation Services跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326

Reference

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326

Impacted products

Name
Microsoft Active Directory Federation Services（ADFS）

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": [
      {
        "cveNumber": "CVE-2018-8326",
        "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8326"
      },
      {
        "cveNumber": "104656"
      }
    ]
  },
  "description": "Microsoft Active Directory Federation Services\uff08ADFS\uff09\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u9879\u6d3b\u52a8\u76ee\u5f55\u8054\u5408\u670d\u52a1\u3002\u8be5\u670d\u52a1\u63d0\u4f9bWeb\u5355\u4e00\u767b\u5165\uff08SSO\uff09\u6280\u672f\uff0c\u53ef\u5b9e\u73b0\u5728\u4e00\u6b21\u4f1a\u8bdd\u8fc7\u7a0b\u4e2d\u5bf9\u591a\u4e2a\u7f51\u7ad9\uff08\u6216\u5e94\u7528\u7a0b\u5e8f\uff09\u9a8c\u8bc1\u67d0\u4e2a\u4f7f\u7528\u8005\u3002\r\n\r\nMicrosoft AD FS\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f00\u6e90\u81ea\u5b9a\u4e49\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u53d1\u9001\u5230\u53d7\u5f71\u54cdAD FS\u670d\u52a1\u5668\u7684\u7279\u5236Web\u8bf7\u6c42\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u811a\u672c\u3002",
  "discovererName": "Microsoft",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-13183",
  "openTime": "2018-07-16",
  "patchDescription": "Microsoft Active Directory Federation Services\uff08ADFS\uff09\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u9879\u6d3b\u52a8\u76ee\u5f55\u8054\u5408\u670d\u52a1\u3002\u8be5\u670d\u52a1\u63d0\u4f9bWeb\u5355\u4e00\u767b\u5165\uff08SSO\uff09\u6280\u672f\uff0c\u53ef\u5b9e\u73b0\u5728\u4e00\u6b21\u4f1a\u8bdd\u8fc7\u7a0b\u4e2d\u5bf9\u591a\u4e2a\u7f51\u7ad9\uff08\u6216\u5e94\u7528\u7a0b\u5e8f\uff09\u9a8c\u8bc1\u67d0\u4e2a\u4f7f\u7528\u8005\u3002\r\n\r\nMicrosoft AD FS\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f00\u6e90\u81ea\u5b9a\u4e49\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4\u53d1\u9001\u5230\u53d7\u5f71\u54cdAD FS\u670d\u52a1\u5668\u7684\u7279\u5236Web\u8bf7\u6c42\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Active Directory Federation Services\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft Active Directory Federation Services\uff08ADFS\uff09"
  },
  "referenceLink": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-12",
  "title": "Microsoft Active Directory Federation Services\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

fkie_cve-2018-8326

Vulnerability from fkie_nvd

Published

2018-07-11 00:29

Modified

2024-11-21 04:13

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
secure@microsoft.com	http://www.securityfocus.com/bid/104656	Third Party Advisory, VDB Entry
secure@microsoft.com	http://www.securitytracker.com/id/1041266	Third Party Advisory, VDB Entry
secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/104656	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1041266	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	microsoft	web_customizations	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:web_customizations:*:*:*:*:*:active_directory_federation_services:*:*",
              "matchCriteriaId": "489B2EBE-EC35-4958-9268-882302AB5DBB",
              "versionEndExcluding": "0.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) cuando una personalizci\u00f3n de origen abierta para Microsoft Active Directory Federation Services (AD FS) no sanea correctamente una petici\u00f3n web especialmente manipulada a un servidor AD FS. Esto tambi\u00e9n se conoce como \"Open Source Customization for Active Directory Federation Services XSS Vulnerability\". Esto afecta a Web Customizations."
    }
  ],
  "id": "CVE-2018-8326",
  "lastModified": "2024-11-21T04:13:37.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-07-11T00:29:02.507",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104656"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1041266"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104656"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1041266"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2018-AVI-338

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une exécution de code à distance, une usurpation d'identité et un contournement de la fonctionnalité de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	ChakraCore
Microsoft	N/A	Microsoft Lync 2013 Service Pack 1 (64 bits)
Microsoft	N/A	Skype pour Business 2016 (64 bits)
Microsoft	N/A	Microsoft Visual Studio 2017 Version 15.7.5
Microsoft	N/A	Microsoft Visual Studio 2010 Service Pack 1
Microsoft	N/A	Microsoft Access 2016 (édition 32 bits)
Microsoft	N/A	Microsoft Visual Studio 2017 Version 15.8 Preview
Microsoft	N/A	Microsoft Visual Studio 2013 Update 5
Microsoft	N/A	Microsoft Access 2013 Service Pack 1 (éditions 32 bits)
Microsoft	N/A	Microsoft Visual Studio 2015 Update 3
Microsoft	N/A	Microsoft Access 2016 (édition 64 bits)
Microsoft	N/A	Microsoft Visual Studio 2017
Microsoft	N/A	Microsoft Wireless Display Adapter V2 Software Version 2.0.8350
Microsoft	N/A	Microsoft Access 2013 Service Pack 1 (éditions 64 bits)
Microsoft	N/A	PowerShell Extension pour Visual Studio Code
Microsoft	N/A	Skype pour Business 2016 (32 bits)
Microsoft	N/A	Microsoft Research JavaScript Cryptography Library
Microsoft	N/A	PowerShell Editor Services
Microsoft	N/A	Microsoft Visual Studio 2012 Update 5
Microsoft	N/A	Microsoft Wireless Display Adapter V2 Software Version 2.0.8372
Microsoft	N/A	Expression Blend 4 Service Pack 3
Microsoft	N/A	Microsoft Wireless Display Adapter V2 Software Version 2.0.8365
Microsoft	N/A	Web Customizations pour Active Directory Federation Services
Microsoft	N/A	Microsoft Lync 2013 Service Pack 1 (32 bits)

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 10 juillet 2018

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "ChakraCore",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Lync 2013 Service Pack 1 (64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Skype pour Business 2016 (64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 Version 15.7.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2010 Service Pack 1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Access 2016 (\u00e9dition 32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 Version 15.8 Preview",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2013 Update 5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Access 2013 Service Pack 1 (\u00e9ditions 32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2015 Update 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Access 2016 (\u00e9dition 64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Wireless Display Adapter V2 Software Version 2.0.8350",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Access 2013 Service Pack 1 (\u00e9ditions 64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "PowerShell Extension pour Visual Studio Code",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Skype pour Business 2016 (32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Research JavaScript Cryptography Library",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "PowerShell Editor Services",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2012 Update 5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Wireless Display Adapter V2 Software Version 2.0.8372",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Expression Blend 4 Service Pack 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Wireless Display Adapter V2 Software Version 2.0.8365",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Web Customizations pour Active Directory Federation Services",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Lync 2013 Service Pack 1 (32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-8283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8283"
    },
    {
      "name": "CVE-2018-8276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8276"
    },
    {
      "name": "CVE-2018-8291",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8291"
    },
    {
      "name": "CVE-2018-8306",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8306"
    },
    {
      "name": "CVE-2018-8290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8290"
    },
    {
      "name": "CVE-2018-8238",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8238"
    },
    {
      "name": "CVE-2018-8327",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8327"
    },
    {
      "name": "CVE-2018-8172",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8172"
    },
    {
      "name": "CVE-2018-8298",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8298"
    },
    {
      "name": "CVE-2018-8326",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8326"
    },
    {
      "name": "CVE-2018-8288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8288"
    },
    {
      "name": "CVE-2018-8312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8312"
    },
    {
      "name": "CVE-2018-8319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8319"
    },
    {
      "name": "CVE-2018-8311",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8311"
    },
    {
      "name": "CVE-2018-8232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8232"
    },
    {
      "name": "CVE-2018-8294",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8294"
    },
    {
      "name": "CVE-2018-8286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8286"
    },
    {
      "name": "CVE-2018-8279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8279"
    },
    {
      "name": "CVE-2018-8280",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8280"
    },
    {
      "name": "CVE-2018-8287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8287"
    },
    {
      "name": "CVE-2018-8275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-8275"
    }
  ],
  "initial_release_date": "2018-07-11T00:00:00",
  "last_revision_date": "2018-07-11T00:00:00",
  "links": [],
  "reference": "CERTFR-2018-AVI-338",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-07-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code \u00e0 distance, une usurpation\nd\u0027identit\u00e9 et un contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 10 juillet 2018",
      "url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
    }
  ]
}

ghsa-g2j6-p9vm-4p3r

Vulnerability from github

Published

2022-05-14 03:01

Modified

2022-05-14 03:01

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-8326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-11T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka \"Open Source Customization for Active Directory Federation Services XSS Vulnerability.\" This affects Web Customizations.",
  "id": "GHSA-g2j6-p9vm-4p3r",
  "modified": "2022-05-14T03:01:05Z",
  "published": "2022-05-14T03:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8326"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8326"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104656"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041266"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-8326 (GCVE-0-2018-8326)

Vulnerability from cvelistv5

gsd-2018-8326

Vulnerability from gsd

cnvd-2018-13183

Vulnerability from cnvd

fkie_cve-2018-8326

Vulnerability from fkie_nvd

CERTFR-2018-AVI-338

Vulnerability from certfr_avis

Solution

ghsa-g2j6-p9vm-4p3r

Vulnerability from github

Tags

Sightings

Nomenclature