CVE-2023-49111

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-49111

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

F

or Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated reflected cross-site scripting attack can be performed on the login page "login.html". This is possible due to the request parameter "message" values being directly included in a JavaScript block in the response. This is especially critical in business environments using AD SSO authentication, e.g. via ADFS, where attackers could potentially steal AD passwords. This issue affects Kiuwan SAST: <master.1808.p685.q13371

References
Link Resource
https://r.sec-consult.com/kiuwan
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log
http://seclists.org/fulldisclosure/2024/Jun/3
https://r.sec-consult.com/kiuwan
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log
Configurations

No configuration.

History

04 Nov 2025, 18:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jun/3 -

21 Nov 2024, 08:32

Type Values Removed Values Added
References () https://r.sec-consult.com/kiuwan - () https://r.sec-consult.com/kiuwan -
References () https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log - () https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log -

03 Jul 2024, 01:42

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary
  • (es) Para las instalaciones de Kiuwan con SSO (inicio de sesión único) habilitado, se puede realizar un ataque de Cross Site Scripting reflejado no autenticado en la página de inicio de sesión "login.html". Esto es posible debido a que los valores de "mensaje" del parámetro de solicitud se incluyen directamente en un bloque de JavaScript en la respuesta. Esto es especialmente crítico en entornos empresariales que utilizan autenticación AD SSO, por ejemplo, a través de ADFS, donde los atacantes podrían potencialmente robar contraseñas de AD. Este problema afecta a Kiuwan SAST:

20 Jun 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-20 13:15

Updated : 2025-11-04 18:15

NVD link : CVE-2023-49111

Mitre link : CVE-2023-49111

CVE.ORG link : CVE-2023-49111

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')