Lucene search

Veracode Vulnerability DatabaseVERACODE:6385

HistoryMay 25, 2018 - 6:37 a.m.

Cross-site Scripting (XSS)

2018-05-2506:37:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

simplesamlphp is vulnerable to cross-site scripting (XSS) attacks. A malicious user can craft URLs that include Javascript to pass to another user for execution through the setConsentText function in the consentAdmin module. This vulnerability requires the consentAdmin module to be enabled and configured in an Identity Provider.

CPENameOperatorVersion
simplesamlphp/simplesamlphple1.14.15

CPE	Name	Operator	Version
	simplesamlphp/simplesamlphp	le	1.14.15

References

github.com/simplesamlphp/simplesamlphp/commit/34e1bdb7660c0c9b627f8e5f0ca224a6afe641a8

simplesamlphp.org/security/201709-01

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Related for VERACODE:6385