GO-2023-2114

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-2114

Import Source

https://vuln.go.dev/ID/GO-2023-2114.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-2114

Aliases

Published

2023-10-24T16:45:15Z

Modified

2024-05-20T16:03:47Z

Summary

Cross-site scripting via missing binding syntax validation in github.com/crewjam/saml

Details

The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim's browser loads the SAML IdP initiated SSO link for the malicious service provider.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-2114"
}

References

Credits

- Francesco Lacerenza from Doyensec

Affected packages

Go / github.com/crewjam/saml

Package

Name: github.com/crewjam/saml; View open source insights on deps.dev
Purl: pkg:golang/github.com/crewjam/saml

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.14

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/crewjam/saml"
        }
    ]
}