CVE-2019-11274

CVE-2019-11274 is a medium-severity vulnerability in Cloudfoundry User Account And Authentication with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute.

Frequently asked questions

What is CVE-2019-11274?
Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute.
How severe is CVE-2019-11274?
CVE-2019-11274 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2019-11274 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2019-11274?
CVE-2019-11274 affects Cloudfoundry User Account And Authentication. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-11274?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2019-11274 published?
CVE-2019-11274 was published on 2019-08-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Cloudfoundry User Account And Authentication

All CVEs affecting Cloudfoundry User Account And Authentication →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →