CVE-2023-52240

The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center & Server (Kantega SSO Enterprise), and Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru Server (Kantega SSO Enterprise). (Here, FeCru refers to the Atlassian Fisheye and Crucible products running together.)

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise	Vendor Advisory
https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions	Product
https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview	Product
https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise	Vendor Advisory
https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions	Product
https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview	Product
https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bamboo::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bitbucket::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::confluence::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::fecru::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::jira::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bamboo::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bitbucket::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::confluence::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::jira::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bamboo::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bitbucket::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::confluence::*
	cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::jira::*

History

21 Nov 2024, 08:39

Type	Values Removed	Values Added
References	~~() https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise - Vendor Advisory~~	() https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise - Vendor Advisory
References	~~() https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions - Product~~	() https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions - Product
References	~~() https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview - Product~~	() https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview - Product~~	() https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview - Product~~	() https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview - Product~~	() https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview - Product

08 Jan 2024, 14:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::jira::* cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bitbucket::* cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::bamboo::* cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::confluence::* cpe:2.3:a:kantega-sso:kantega_saml_sso_oidc_kerberos_single_sign-on::::::fecru::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Kantega-sso kantega Saml Sso Oidc Kerberos Single Sign-on Kantega-sso
References	~~() https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise -~~	() https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise - Vendor Advisory
References	~~() https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions -~~	() https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions - Product
References	~~() https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview -~~	() https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview -~~	() https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview -~~	() https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview - Product
References	~~() https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview -~~	() https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview - Product
CWE		CWE-79
Summary		(es) Las aplicaciones de inicio de sesión único Kantega SAML SSO OIDC Kerberos anteriores a 6.20.0 para productos Atlassian permiten XSS si el enlace SAML POST está habilitado. Esto afecta a 4.4.2 a 4.14.8 antes de 4.14.9, 5.0.0 a 5.11.4 antes de 5.11.5 y 6.0.0 a 6.19.0 antes de 6.20.0. Los nombres completos de los productos son Kantega SAML SSO OIDC Kerberos Single Sign-on para Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on para Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO Single Sign-on OIDC Kerberos para Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on para Bamboo Data Center & Server (Kantega SSO Enterprise) y Kantega SAML SSO OIDC Kerberos Single Sign-on para Servidor FeCru (Kantega SSO Enterprise). (Aquí, FeCru se refiere a los productos Atlassian Fisheye y Crucible que funcionan juntos).

29 Dec 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-29 22:15

Updated : 2024-11-21 08:39

NVD link : CVE-2023-52240

Mitre link : CVE-2023-52240

CVE.ORG link : CVE-2023-52240

JSON object : View

Products Affected

kantega-sso

kantega_saml_sso_oidc_kerberos_single_sign-on

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10