Stored XSS Vulnerability in IdentityServer4 RequestLoggerMiddleware

Stored XSS Vulnerability in IdentityServer4 RequestLoggerMiddleware

CVE-2019-12250 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not part of IdentityServer but only our development test host

Learn more about our Cis Benchmark Audit For Server Software.