cbcvebase.
CVE-2009-3300
published 2009-11-06

CVE-2009-3300: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x…

PriorityP410low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
1.67%
73.9th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.

Affected

21 ranges
VendorProductVersion rangeFixed in
debianshibboleth-sp< shibboleth-sp 3.0.2+dfsg1-2 (bookworm)shibboleth-sp 3.0.2+dfsg1-2 (bookworm)
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2identity_provider
internet2service_provider
internet2service_provider
internet2service_provider
internet2service_provider
internet2service_provider
internet2service_provider
internet2service_provider
internet2shibboleth-sp>= 0 < 3.0.2+dfsg1-23.0.2+dfsg1-2
internet2shibboleth-sp>= 0 < 3.0.2+dfsg1-23.0.2+dfsg1-2
internet2shibboleth-sp>= 0 < 3.0.2+dfsg1-23.0.2+dfsg1-2
internet2shibboleth-sp>= 0 < 3.0.2+dfsg1-23.0.2+dfsg1-2

CVSS provenance

nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv2.6LOW
vendor_debian2.6MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.