Reflected Cross-Site-Scripting in Kiuwan SAST
CVE-2023-49111

6.5MEDIUM

Key Information:

Vendor: Kiuwan
Status: Sast
Vendor: CVE Published:; 20 June 2024

What is CVE-2023-49111?

For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated reflected cross-site scripting attack can be performed on the login page "login.html". This is possible due to the request parameter "message" values being directly included in a JavaScript block in the response. This is especially critical in business environments using AD SSO authentication, e.g. via ADFS, where attackers could potentially steal AD passwords.

This issue affects Kiuwan SAST: <master.1808.p685.q13371

Affected Version(s)

SAST <master.1808.p685.q13371

References

https://r.sec-consult.com/kiuwan

third-party-advisory

https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+C...

release-notes

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
Nov 22, 2023

Credit

Constantin Schwarz

Johannes Greil

CVE-2023-49111 Data

JSON