{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "21d0da227f50ac102de469a13bc5a15d2cc0f895" }, { "fixed": "02e7b1db08ea20483fa84f0087612f9d7c57d7e7" }, { "fixed": "35ac1ac2d8f62cc3c6b2602bb653c3e651cdcfd8" } ], "repo": "https://github.com/duendearchive/identityserver4", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "1.0.0" }, { "last_affected": "1.5.2" }, { "introduced": "2.0.0" }, { "last_affected": "2.1.2" } ] }, "events": [ { "introduced": "62eea365e8835323230c32eff6ec9b7b78cc1be0" }, { "last_affected": "b9f179103be2d8708131394527cebc1e9f6b17aa" }, { "introduced": "1b88084c06eb6a0368ccec9fed7c9a295f1d508b" }, { "last_affected": "becb2206826b1039687b3ec895fad5e1b26ef0c5" } ], "repo": "https://github.com/identityserver/identityserver4", "type": "GIT" } ] } ], "details": "IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations.", "id": "CVE-2018-8899", "modified": "2026-03-13T21:52:28.210147357Z", "published": "2018-03-22T05:29:00.287Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/IdentityServer/IdentityServer4/releases/tag/1.5.3" }, { "type": "ADVISORY", "url": "https://github.com/IdentityServer/IdentityServer4/releases/tag/2.1.3" }, { "type": "REPORT", "url": "https://github.com/IdentityServer/IdentityServer4/issues/2164" }, { "type": "FIX", "url": "https://github.com/IdentityServer/IdentityServer4/commit/21d0da227f50ac102de469a13bc5a15d2cc0f895" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }