CVE-2009-3300
opensaml2 shibboleth-sp shibboleth-sp2 - cross-site scripting
EPSS 0.32%
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
How to fix CVE-2009-3300
To remediate CVE-2009-3300, upgrade the affected package to a fixed version below.
- Debian/opensaml2—upgrade to 2.0-2+lenny2 or later
- —upgrade to 3.0.2+dfsg1-2 or later
- —upgrade to 1.3f.dfsg1-2+etch2 or later
- —upgrade to 2.0.dfsg1-4+lenny2 or later
Is CVE-2009-3300 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.0-2+lenny2
- from 0, < 3.0.2+dfsg1-2
- from 0, < 1.3f.dfsg1-2+etch2
- from 0, < 2.0.dfsg1-4+lenny2