CVE-2023-52240

The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center & Server (Kantega SSO Enterprise), and Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru Server (Kantega SSO Enterprise). (Here, FeCru refers to the Atlassian Fisheye and Crucible products running together.)
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
4.4.2 ≤
𝑥
< 4.14.9
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
4.4.2 ≤
𝑥
< 4.14.9
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
4.4.2 ≤
𝑥
< 4.14.9
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
4.4.2 ≤
𝑥
< 4.14.9
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
4.4.2 ≤
𝑥
< 4.14.9
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
5.0.0 ≤
𝑥
< 5.11.5
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
5.0.0 ≤
𝑥
< 5.11.5
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
5.0.0 ≤
𝑥
< 5.11.5
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
5.0.0 ≤
𝑥
< 5.11.5
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
6.0.0 ≤
𝑥
< 6.20.0
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
6.0.0 ≤
𝑥
< 6.20.0
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
6.0.0 ≤
𝑥
< 6.20.0
kantega-ssokantega_saml_sso_oidc_kerberos_single_sign-on
6.0.0 ≤
𝑥
< 6.20.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise
https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions
https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview
https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1226473473/Security+Vulnerability+HTML+injection+Cross-site+scripting+in+SAML+POST+binding+Kantega+SSO+Enterprise
https://marketplace.atlassian.com/apps/1211923/kantega-saml-sso-oidc-kerberos-single-sign-on-for-jira?hosting=datacenter&tab=versions
https://marketplace.atlassian.com/apps/1212126/kantega-saml-sso-oidc-kerberos-single-sign-on-for-confluence?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1213019/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bitbucket?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1215262/kantega-saml-sso-oidc-kerberos-single-sign-on-for-bamboo?hosting=datacenter&tab=overview
https://marketplace.atlassian.com/apps/1215263/kantega-saml-sso-oidc-kerberos-single-sign-on-for-fecru?hosting=server&tab=overview