Lucene search

GoogleOSV:GO-2023-2114

HistoryOct 24, 2023 - 4:45 p.m.

Cross-site scripting via missing binding syntax validation in github.com/crewjam/saml

2023-10-2416:45:15

Google

osv.dev

cross-site scripting

missing binding validation

github.com/crewjam/saml

saml

acs endpoint

javascript injection

idp context

sso link

software vulnerability

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

17.1%

JSON

The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim’s browser loads the SAML IdP initiated SSO link for the malicious service provider.

CPENameOperatorVersion
github.com/crewjam/samllt0.4.14

CPE	Name	Operator	Version
	github.com/crewjam/saml	lt	0.4.14

References

github.com/crewjam/saml/commit/b07b16cf83c4171d16da4d85608cb827f183cd79

github.com/crewjam/saml/security/advisories/GHSA-267v-3v32-g6q5