Vulnerability CVE-2023-49111
Published: 2024-06-20

Description:
For Kiuwan installations with SSO (single sign-on) enabled, an
unauthenticated reflected cross-site scripting attack can be performed
on the login page "login.html". This is possible due to the request parameter "message" values
being directly included in a JavaScript block in the response. This is
especially critical in business environments using AD SSO
authentication, e.g. via ADFS, where attackers could potentially steal
AD passwords.



This issue affects Kiuwan SAST: <master.1808.p685.q13371

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Kiuwan Local Analyzer / SAST / SaaS XML Injection / XSS / IDOR
C. Schwarz
10.06.2024

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

 References:
https://r.sec-consult.com/kiuwan
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log
Copyright 2024, cxsecurity.com

 

Back to Top