XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
CVE-2024-21637

7.7HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
11 January 2024

What is CVE-2024-21637?

Authentik, an open-source Identity Provider, is subject to a reflected Cross-Site Scripting vulnerability that occurs through JavaScript-URIs during OpenID Connect flows using response_mode=form_post. Attackers can exploit this vulnerability to execute payloads, potentially leading to privilege escalation. The issue has been addressed in subsequent releases, specifically versions 2023.10.6 and 2023.8.6, which mitigate the identified risks by correcting the handling of the vulnerable JavaScript-URIs.

Affected Version(s)

authentik <= 2023.10.5 <= 2023.10.5

authentik <= 2023.8.5 <= 2023.8.5

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.