CVE-2023-45683
Cross-site scripting via missing binding syntax validation in github.com/crewjam/saml
Description
The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim's browser loads the SAML IdP initiated SSO link for the malicious service provider.
How to fix CVE-2023-45683
To remediate CVE-2023-45683, upgrade the affected package to a fixed version below.
- —upgrade to 0.4.14 or later
- —upgrade to 0.4.14 or later
Is CVE-2023-45683 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.4.14
- from 0, < 0.4.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |