Werk 17094 was adapted. The following is the new Werk, a diff is shown at the end of the
message.
[//]: # (werk v2)
# Fix XSS on SAML login screen
key | value
---------- | ---
date | 2024-09-05T15:23:53+00:00
version | 2.3.0p16
class | security
edition | cee
component | wato
level | 1
compatible | yes
Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error
box on the SAML login page.
This could facilitate phishing attacks by tricking users into clicking malicious links.
Links in the error message are now escaped and no longer clickable.
This issue was identified during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
Only users who have configured at least one SAML connection are affected.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium
(`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N`) and assigned
`CVE-2024-38860`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Fix XSS on SAML login screen
key | value
---------- | ---
date | 2024-09-05T15:23:53+00:00
version | 2.3.0p16
class | security
edition | cee
component | wato
level | 1
compatible | yes
Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the
error box on the SAML login page.
This could facilitate phishing attacks by tricking users into clicking malicious links.
Links in the error message are now escaped and no longer clickable.
This issue was identified during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
+ Only users who have configured at least one SAML connection are affected.
+
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium
(`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N`) and assigned
`CVE-2024-38860`.