6:["$","$L19",null,{"children":[["$","header",null,{"children":["$","$L1a",null,{"description":"Real-time alerts of vulnerabilities across monitored open-source ecosystems.","href":"/vul","indicators":[{"description":"Maven","icon":"layer-group","indicator":"1","title":"Ecosystems covered"},{"description":"From global vulnerability databases","icon":"flag","indicator":"2","title":"Total vulnerabilities tracked"}],"section":"Vulnerabilities"}]}],["$","main",null,{"children":["$","$L1b",null,{"filterAvailability":{"ageRanges":["1w","1m","3m"],"cveOptions":[],"cwes":["CWE-79","CWE-287"],"detectedOptions":[],"ecosystems":["maven"],"epssOptions":["y","n"],"eventsOptions":[],"exploitOptions":[],"fixOptions":[],"kevOptions":[],"originalSeverities":["critical","low"],"reachabilityOptions":[],"severities":["high","low"],"typeOptions":["application"],"weaknesses":[{"id":"008","name":"Reflected cross-site scripting (XSS)"},{"id":"039","name":"Improper authorization control for web services"}]},"vulnerabilitiesPage":{"ecosystemNames":["maven"],"totalEcosystems":1,"totalPages":1,"totalVulnerabilities":2,"vulnerabilities":[{"adv_id":"CVE-2026-44793","alternative_id":"GHSA-fhrq-3gmx-p879","created_at":"2026-06-22T20:39:06Z","cve_finding":"F008","cwe_ids":["CWE-79"],"details":"OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`\n## Summary\n\nCertain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.","ecosystem":"maven","epss":null,"flat_id":"FLAT-ETF6U","has_public_exploit":0,"has_reports":false,"kev_catalog":0,"modified_at":"2026-06-22T20:39:06Z","package_name":"org.openidentityplatform.openam:openam-federation-library","percentile":null,"platform_version":"default","severity":null,"severity_v4":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-fhrq-3gmx-p879/GHSA-fhrq-3gmx-p879.json","source_severity_v4":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","vulncheck_reported_exploitation":0,"vulnerable_version":">=0 <16.1.1"},{"adv_id":"CVE-2023-37471","alternative_id":"GHSA-4mh8-9wq6-rjxg","created_at":"2023-07-20T18:54:13Z","cve_finding":"F039","cwe_ids":["CWE-287"],"details":"OpenAM vulnerable to user impersonation using SAMLv1.x SSO process\n### Impact\nOpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet.\n\n### Patches\nThis problem has been patched in OpenAM 14.7.3-SNAPSHOT and later\n\n### Workarounds\nOne should comment servlet `SAMLPOSTProfileServlet` in web.xml or disable SAML in OpenAM\n```xml\n\n SAMLPOSTProfileServlet\n SAMLPOSTProfileServlet\n com.sun.identity.saml.servlet.SAMLPOSTProfileServlet\n\n...\n\n SAMLSOAPReceiver\n /SAMLSOAPReceiver\n\n```\n\n### References\n#624\n","ecosystem":"maven","epss":"0.01022","flat_id":"FLAT-1QFZM","has_public_exploit":0,"has_reports":false,"kev_catalog":0,"modified_at":"2023-07-20T18:54:13Z","package_name":"org.openidentityplatform.openam:openam-federation-library","percentile":"0.58785","platform_version":"default","severity":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","severity_v4":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4mh8-9wq6-rjxg/GHSA-4mh8-9wq6-rjxg.json","source_severity_v4":null,"vulncheck_reported_exploitation":0,"vulnerable_version":">=0 <14.7.3"}]}}]}]]}]