It was found that Picketlink would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:1419 https://access.redhat.com/errata/RHSA-2019:1419
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:1421 https://access.redhat.com/errata/RHSA-2019:1421
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:1420 https://access.redhat.com/errata/RHSA-2019:1420
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:1424 https://access.redhat.com/errata/RHSA-2019:1424
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.2 zip Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456