← All vulnerabilities
CRITICALSupply chain
GHSA-FQ9H-C788-FX73
maven · org.openidentityplatform.openam:openam-oauth2
Summary
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-JQ8V-RMF6-65JW
Gogs has Stored XSS in `.ipynb` Preview
- MEDIUMGHSA-HVQH-JW65-WCPQ
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
- LOWGHSA-FHRQ-3GMX-P879
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`
- HIGHGHSA-X975-RGX4-5FH4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
- LOWGHSA-H5JC-78HR-3PC9
Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe
- MEDIUMGHSA-6V8J-33HC-MV84
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses