CVE-2023-49111 Reflected Cross-Site-Scripting in Kiuwan SAST

2024-06-2012:34:38

CWE-79

SEC-VLab

www.cve.org

reflected cross-site-scripting

kiuwan sast

single sign-on

unauthenticated

javascript

adfs

ad passwords

EPSS

Percentile

9.0%

JSON

For Kiuwan installations with SSO (single sign-on) enabled, an
unauthenticated reflected cross-site scripting attack can be performed
on the login page “login.html”. This is possible due to the request parameter “message” values
being directly included in a JavaScript block in the response. This is
especially critical in business environments using AD SSO
authentication, e.g. via ADFS, where attackers could potentially steal
AD passwords.

This issue affects Kiuwan SAST: <master.1808.p685.q13371

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "SAST",
    "vendor": "Kiuwan",
    "versions": [
      {
        "status": "affected",
        "version": "<master.1808.p685.q13371",
        "versionType": "custom"
      }
    ]
  }
]

References

r.sec-consult.com/kiuwan

www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2023-49111