CVE-2009-3300
published 2009-11-06CVE-2009-3300: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x…
PriorityP410low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
1.67%
73.9th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | shibboleth-sp | < shibboleth-sp 3.0.2+dfsg1-2 (bookworm) | shibboleth-sp 3.0.2+dfsg1-2 (bookworm) |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | identity_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | service_provider | — | — |
| internet2 | shibboleth-sp | >= 0 < 3.0.2+dfsg1-2 | 3.0.2+dfsg1-2 |
| internet2 | shibboleth-sp | >= 0 < 3.0.2+dfsg1-2 | 3.0.2+dfsg1-2 |
| internet2 | shibboleth-sp | >= 0 < 3.0.2+dfsg1-2 | 3.0.2+dfsg1-2 |
| internet2 | shibboleth-sp | >= 0 < 3.0.2+dfsg1-2 | 3.0.2+dfsg1-2 |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv2.6LOW
vendor_debian2.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xjxx-h5w2-fphm: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1
ghsa_unreviewed·2022-05-02
CVE-2009-3300 [LOW] CWE-79 GHSA-xjxx-h5w2-fphm: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
OSV
CVE-2009-3300: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1
osv·2009-11-06·CVSS 2.6
CVE-2009-3300 [LOW] CVE-2009-3300: Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Debian
CVE-2009-3300: shibboleth-sp - Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (Id...
vendor_debian·2009·CVSS 2.6
CVE-2009-3300 [LOW] CVE-2009-3300: shibboleth-sp - Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (Id...
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Scope: local
bookworm: resolved (fixed in 3.0.2+dfsg1-2)
bullseye: resolved (fixed in 3.0.2+dfsg1-2)
forky: resolved (fixed in 3.0.2+dfsg1-2)
sid: resolved (fixed in 3.0.2+dfsg1-2)
trixie: resolved (fixed in 3.0.2+dfsg1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://secunia.com/advisories/37237http://shibboleth.internet2.edu/secadv/secadv_20091104.txthttp://www.debian.org/security/2009/dsa-1947http://www.vupen.com/english/advisories/2009/3150https://exchange.xforce.ibmcloud.com/vulnerabilities/54140http://secunia.com/advisories/37237http://shibboleth.internet2.edu/secadv/secadv_20091104.txthttp://www.debian.org/security/2009/dsa-1947http://www.vupen.com/english/advisories/2009/3150https://exchange.xforce.ibmcloud.com/vulnerabilities/54140
2009-11-06
Published