GHSA-fhrq-3gmx-p879
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fhrq-3gmx-p879
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-fhrq-3gmx-p879/GHSA-fhrq-3gmx-p879.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fhrq-3gmx-p879
- Aliases
-
- CVE-2026-44793
- Published
- 2026-06-22T20:39:06Z
- Modified
- 2026-06-22T20:45:08.123593002Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`
- Details
-
Summary
Certain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.
- Database specific
{ "github_reviewed_at": "2026-06-22T20:39:06Z", "severity": "LOW", "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "nvd_published_at": null }- References
Affected packages
Maven / org.openidentityplatform.openam:openam-federation-library
Package
- Name
- org.openidentityplatform.openam:openam-federation-library
- View open source insights on deps.dev
- Purl
- pkg:maven/org.openidentityplatform.openam/openam-federation-library
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.1.1
Affected versions
14.*
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
14.7.3
14.7.4
14.8.1
14.8.2
14.8.3
14.8.4
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.2.0
15.2.1
15.2.2
16.*
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.1.0