Vulners
Lucene search
Ping Identity Agentless Integration Kit Cross Site Scripting
🗓️ 30 Aug 2019 00:00:00Reported by Thomas KonradType 
packetstorm🔗 packetstormsecurity.com👁 297 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2019-13564 | 11 Oct 202421:48 | – | circl |
 | Ping Identity Agentless Integration Kit Cross-Site Scripting Vulnerability | 2 Sep 201900:00 | – | cnvd |
 | CVE-2019-13564 | 11 Jul 201917:14 | – | cve |
 | CVE-2019-13564 | 11 Jul 201917:14 | – | cvelist |
 | EUVD-2019-5019 | 7 Oct 202500:30 | – | euvd |
 | CVE-2019-13564 | 11 Jul 201918:15 | – | nvd |
 | CVE-2019-13564 | 11 Jul 201918:15 | – | osv |
 | Cross site scripting | 11 Jul 201918:15 | – | prion |
 | PT-2019-13425 · Ping Identity · Ping Identity Agentless Integration Kit | 11 Jul 201900:00 | – | ptsecurity |
 | CVE-2019-13564 | 22 May 202510:07 | – | redhatcve |
10
`# Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) #
Link: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS
## Vulnerability Overview ##
Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the `/as/authorization.oauth2`
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.
* **Identifier** : SBA-ADV-20190305-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [Ping Identity Agentless Integration Kit](https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html)
* **Vendor** : [Ping Identity](https://www.pingidentity.com/)
* **Affected Versions** : < 1.5
* **Fixed in Version** : 1.5
* **CVE ID** : CVE-2019-13564
* **CVSSv3 Vector** : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* **CVSSv3 Base Score** : 6.1 (Medium)
## Vendor Description ##
> After authenticating the user (via a federated security token or
> authentication adapter), the user will be presented to the protected
> application via an SP adapter. This adapter provides the last-mile
> connection between the federation server (PingFederate) and the
> application, the user will be presented to the application which can
> then create a session and render the application for the
> authenticated user.
Source: <https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide/last-mile-integration.html>
## Impact ##
By exploiting the documented vulnerability, an attacker can execute
JavaScript code in a victim's browser within the origin of the target
site. This can be misused, for example, for phishing attacks by
displaying a fake login form in the context of the trusted site via
JavaScript and then sending the victim's credentials to the attacker.
## Vulnerability Description ##
The `/as/authorization.oauth2` endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.
```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb
```
The name of the HTTP parameter is rendered as the `name` attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the `value` attribute. The content of the `value` attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the `name` attribute is written to the HTML document without any
encoding or sanitization.
## Proof of Concept ##
An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a `script` tag.
```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
```
The last parameter reads as follows when URL-decoded:
```html
"><script>alert(1)</script>
```
This leads to the following HTML response (shortened for readability):
```html
<form method="post" action="[...]">
<input type="hidden" name="REF" value="[...]"/>
<!-- ... -->
<input type="hidden" name=""><script>alert(1)</script>" value=""/>
<!-- ... -->
</form>
```
## Recommended Countermeasures ##
We recommend to HTML-encode the parameter name the same way the
parameter value is encoded.
## Timeline ##
* `2019-03-05` Identified the vulnerability in version < 1.5
* `2019-03-25` Contacted the vendor via support
* `2019-05-24` Finding review with Ping Identity and SBA Research
* `2019-07-11` Publication of CVE-2019-13564
## References ##
* [NIST NVD entry of CVE-2019-13564](https://nvd.nist.gov/vuln/detail/CVE-2019-13564)
## Credits ##
* Thomas Konrad ([SBA Research](https://www.sba-research.org/))
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Aug 2019 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.00411