Moderate severityNVD Advisory· Published Jan 4, 2018· Updated Aug 5, 2024

CVE-2018-1190

Description

An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in the UAA OpenID Connect check session iframe allows an attacker to execute arbitrary JavaScript via the clientId parameter.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the UAA OpenID Connect (OIDC) check session iframe endpoint used for single logout session management. The clientId parameter is not properly escaped before being rendered into a JavaScript context in the returned HTML page. This affects Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0 [2]. The vulnerable code resides in SessionController.java in the session() method and the associated Thymeleaf template session.html [3].

Exploitation

An attacker does not need authentication to trigger the vulnerability. The endpoint at /session is reachable without any prior authentication. By crafting a request with a malicious clientId parameter containing JavaScript payload, the attacker can cause the browser to execute that script. For example, sending a request like GET /session?clientId=...&messageOrigin=... will embed the unescaped clientId directly into the JavaScript code on the page [3]. The attacker must convince a victim to visit a specially crafted URL, typically via phishing or by embedding the link on a third-party site.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the UAA server. This can lead to session hijacking, impersonation, theft of OAuth tokens, or other actions that the victim's session can perform. The impact is limited to the user's browser and UAA domain; however, because UAA is used for identity management in Cloud Foundry, an attacker could potentially access sensitive user data and perform operations on behalf of the victim.

Mitigation

The vulnerability is fixed in cf-release v270, UAA v3.20.2, UAA bosh v30.8, and UAA bosh v45.0 [2]. The fix escapes the clientId and messageOrigin parameters using JsonUtils.writeValueAsString() before adding them to the model, preventing injection [3]. Cloud Foundry operators should upgrade to these patched versions or later. No known workarounds are provided. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.cloudfoundry.identity:cloudfoundry-identity-serverMaven	>= 3.0.0, < 3.20.2	3.20.2

Affected products

ghsa-coords
pkg:maven/org.cloudfoundry.identity/cloudfoundry-identity-server
Range: >= 3.0.0, < 3.20.2

Patches

96fe26711f8f

Escape output

https://github.com/cloudfoundry/uaaJennifer HamonDec 7, 2017via ghsa

commit

3 files changed · +31 −8

server/src/main/java/org/cloudfoundry/identity/uaa/login/SessionController.java+7 −2 modified

@@ -12,6 +12,7 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.login;
 
+import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -22,9 +23,13 @@ public class SessionController {
 
     @RequestMapping("/session")
     public String session(Model model, @RequestParam String clientId, @RequestParam String messageOrigin) {
-        model.addAttribute("clientId", clientId);
-        model.addAttribute("messageOrigin", messageOrigin);
+        model.addAttribute("clientId", escape(clientId));
+        model.addAttribute("messageOrigin", escape(messageOrigin));
         return "session";
     }
 
+    private String escape(String s) {
+        return JsonUtils.writeValueAsString(s);
+    }
+
 }

server/src/main/resources/templates/web/session.html+2 −2 modified

@@ -6,14 +6,14 @@
     window.addEventListener('message', handleMessage, false);
 
     function handleMessage(e) {
-      var origin = '[[${messageOrigin}]]';
+      var origin = [[${messageOrigin}]];
       var messageOrigin = e.origin === 'null' ? null : e.origin;
       if ((messageOrigin || 'file://') !== origin) return;
 
       try {
         var messageTokens = e.data.split(' ');
         var clientId = messageTokens[0];
-        var expectedClientId = '[[${clientId}]]';
+        var expectedClientId = [[${clientId}]];
 
         if (clientId !== expectedClientId) {
           throw 'Client ID mismatch';

uaa/src/test/java/org/cloudfoundry/identity/uaa/login/SessionControllerMockMvcTests.java+22 −4 modified

@@ -3,17 +3,35 @@
 import org.cloudfoundry.identity.uaa.mock.InjectedMockContextTest;
 import org.junit.Test;
 
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
 
 public class SessionControllerMockMvcTests extends InjectedMockContextTest {
   @Test
-  public void sessionControllerReturnsSessionView() throws Exception {
+  public void sessionController_escapesClientIdValue() throws Exception {
+    String input = "1'\"";
     getMockMvc().perform(get("/session")
-        .param("clientId","1")
+        .param("clientId", input)
         .param("messageOrigin", "origin"))
-      .andExpect(view().name("session"))
-      .andExpect(status().isOk());
+        .andExpect(view().name("session"))
+        .andExpect(status().isOk())
+        .andExpect(model().size(2))
+        .andExpect(model().attribute("clientId", "\"1'\\\"\""))
+        .andExpect(content().string(containsString("\"1'\\\"\"")));
+  }
+
+  @Test
+  public void sessionController_escapesMessageOriginValue() throws Exception {
+    getMockMvc().perform(get("/session")
+        .param("clientId","1")
+        .param("messageOrigin", "origin\""))
+        .andExpect(view().name("session"))
+        .andExpect(status().isOk())
+        .andExpect(model().attribute("messageOrigin", "\"origin\\\"\""))
+        .andExpect(content().string(containsString("\"origin\\\"\"")));
   }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j97q-9xp9-g5fxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1190ghsaADVISORY
www.securityfocus.com/bid/102427mitrevdb-entryx_refsource_BID
github.com/cloudfoundry/uaa/commit/96fe26711f8f8855d2994a531447f730afd61844ghsaWEB
web.archive.org/web/20200227133214/http://www.securityfocus.com/bid/102427ghsaWEB
www.cloudfoundry.org/cve-2018-1190ghsaWEB
www.cloudfoundry.org/cve-2018-1190/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000