It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
CPE | Name | Operator | Version |
---|---|---|---|
jboss_enterprise_application_platform | eq | 7.2.0 | |
single_sign-on | eq | 7.0 |