CVE-2023-45683

CWE-79 — Cross-site Scripting (XSS)7 documents5 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 48.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Crewjam Saml Github.com Crewjam/saml Saml Project Saml

Timeline

PublishedOct 16

Latest updateOct 24

Description

github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.7

Affected Packages3 packages

▶Gogithub.com/crewjam/saml< 0.4.14

▶CVEListV5crewjam/saml< 0.4.14

▶NVDsaml_project/saml< 0.4.14

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site scripting via missing binding syntax validation in github.com/crewjam/saml↗2023-10-24

▶

OSV

Cross-site Scripting via missing Binding syntax validation↗2023-10-17

▶

GHSA

Cross-site Scripting via missing Binding syntax validation↗2023-10-17

▶

OSV

CVE-2023-45683: github↗2023-10-16

▶

CVEList

Cross site scripting via missing binding syntax validation In ACS location in github.com/crewjam/saml↗2023-10-16

▶

📋Vendor Advisories

Red Hat

github.com/crewjam/saml: Cross-Site-Scripting (XSS) in github.com/crewjam/saml↗2023-10-16

▶