Werk #17094: Fix XSS on SAML login screen
| Komponente | Setup | ||||||
| Titel | Fix XSS on SAML login screen | ||||||
| Datum | 05.09.2024 | ||||||
| Level | Kleine Änderung | ||||||
| Klasse | Sicherheitsfix | ||||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||
| Checkmk versions & editions |
|
Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page. This could facilitate phishing attacks by tricking users into clicking malicious links.
Links in the error message are now escaped and no longer clickable.
This issue was identified during internal review.
Affected Versions:
- 2.3.0
- 2.2.0
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.1 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) and assigned CVE-2024-38860.