{"id":"CVE-2018-1190","details":"An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.","aliases":["GHSA-j97q-9xp9-g5fx"],"modified":"2026-03-12T22:46:57.776583Z","published":"2018-01-04T06:29:00.467Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/102427"},{"type":"REPORT","url":"https://www.cloudfoundry.org/cve-2018-1190/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/cf-release","events":[{"introduced":"0"},{"last_affected":"b31611aaecacf6c42a8ed226ac7d42a0974fccdc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"269"}]}}],"versions":["-","list","log","rc145.0","scotty_09012012","v","v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v118","v119","v119-fixed","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v136","v137","v138","v139","v140","v141","v142","v143","v144","v145","v146","v147","v148","v149","v150","v151","v152","v153","v154","v155","v156","v157","v158","v159","v160","v161","v162","v163","v164","v165","v166","v168","v169","v170","v171","v172","v173","v175","v176","v177","v178","v179","v180","v182","v183","v186","v187","v188","v189","v190","v191","v192","v193","v194","v195","v196","v197","v198","v199","v200","v201","v202","v203","v204","v205","v206","v207","v208","v209","v210","v211","v212","v213","v214","v215","v217","v218","v219","v220","v221","v222","v223","v224","v225","v226","v227","v228","v229","v230","v231","v232","v233","v234","v235","v236","v237","v238","v239","v240","v241","v242","v243","v244","v245","v246","v247","v248","v249","v250","v251","v252","v253","v254","v255","v256","v257","v258","v259","v260","v261","v262","v263","v264","v265","v266","v267","v268","v269","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v95-fixed","v96","v97","v98","v99","works-for-us"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1190.json","unresolved_ranges":[{"events":[{"introduced":"3.0.0"},{"last_affected":"3.20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"44"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}