Lucene search

551230f0-3615-47bd-b7cc-93e92e730bbfNVD:CVE-2023-49111

HistoryJun 20, 2024 - 1:15 p.m.

CVE-2023-49111

2024-06-2013:15:49

CWE-79

551230f0-3615-47bd-b7cc-93e92e730bbf

web.nvd.nist.gov

kiuwan

single sign-on

cross-site scripting

request parameter

ad sso authentication

business environment

adfs

password theft

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

For Kiuwan installations with SSO (single sign-on) enabled, an
unauthenticated reflected cross-site scripting attack can be performed
on the login page “login.html”. This is possible due to the request parameter “message” values
being directly included in a JavaScript block in the response. This is
especially critical in business environments using AD SSO
authentication, e.g. via ADFS, where attackers could potentially steal
AD passwords.

This issue affects Kiuwan SAST: <master.1808.p685.q13371

References

r.sec-consult.com/kiuwan

www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2023-49111