CVE-2024-0981

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

O

kta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox.

References

Link	Resource
https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981
https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981

Configurations

No configuration.

History

21 Nov 2024, 08:47

Type	Values Removed	Values Added
References	~~() https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981 -~~	() https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981 -

24 Jul 2024, 12:55

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-23 21:15

Updated : 2024-11-21 08:47

NVD link : CVE-2024-0981

Mitre link : CVE-2024-0981

CVE.ORG link : CVE-2024-0981

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-0981", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2024-07-23T21:15:12.773", "references": [{"url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981", "source": "[email protected]"}, {"url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}, {"lang": "es", "value": "Las versiones 6.5.0 a 6.31.0 de Okta Browser Plugin (Chrome/Edge/Firefox/Safari) son vulnerables a Cross Site Scripting. Este problema ocurre cuando el complemento solicita al usuario que guarde estas credenciales en Okta Personal. Se implement\u00f3 una soluci\u00f3n para escapar correctamente de estos campos, solucionando la vulnerabilidad. Es importante destacar que si Okta Personal no se agrega al complemento para habilitar la vista de m\u00faltiples cuentas, el complemento Workforce Identity Cloud no se ve afectado por este problema. La vulnerabilidad se solucion\u00f3 en Okta Browser Plugin versi\u00f3n 6.32.0 para Chrome/Edge/Safari/Firefox."}], "lastModified": "2024-11-21T08:47:56.900", "sourceIdentifier": "[email protected]"}