Summary
The host has Shibboleth Service Provider installed and is prone to multiple Cross-Site Scripting vulnerabilities.
Impact
Successful exploitation could allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Impact Level: Application.
Solution
Upgrade Shibboleth Service Provider version 1.3.5 or 2.3 or later.
http://shibboleth.internet2.edu/downloads.html
Insight
The flaws are due to an error within the sanitation of certain URLs.
This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when malicious data is viewed.
Affected
Shibboleth Service Provider version 1.3.x before 1.3.5 and 2.x before 2.3 on Windows.
References
Severity
Classification
-
CVE CVE-2009-3300 -
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Related Vulnerabilities