7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45683

GHSA ID

GHSA-267v-3v32-g6q5

EPSS Score

0.54668%

CWE

CWE-79

Published

10/17/2023

Updated

11/11/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-45683

CVE-2023-45683: Cross-site Scripting via missing Binding syntax validation

Impact

The package does not validate the ACS Location URI according to the SAML binding being parsed.

If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow.

Consequently, an attacker may perform any authenticated action as the victim once the victim’s browser loaded the SAML IdP initiated SSO link for the malicious service provider.

Note: The severity is considered “High” because the SP registration is commonly an unrestricted operation in IdPs, hence not requiring particular permissions or publicly accessible to ease the IdP interoperability.

Patches

This issue is fixed in 0.4.14

Workarounds

Users of the package can perform external validation of URLs provided in SAML metadata, or restrict the ability for end-users to upload arbitrary metadata.

References

This issue was reported by Francesco Lacerenza from Doyensec.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45683

GHSA ID

GHSA-267v-3v32-g6q5

EPSS Score

0.54668%

CWE

CWE-79

Published

10/17/2023

Updated

11/11/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/crewjam/saml	go	< 0.4.14	0.4.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing URI scheme validation during XML unmarshaling of SAML endpoints. The commit adds checkEndpointLocation validation and implements it in UnmarshalXML methods for both Endpoint and IndexedEndpoint types. The pre-patch versions lacked these validations, making these deserialization functions the entry points for untrusted Location values. The test case added in metadata_test.go specifically verifies rejection of javascript: URIs for HTTP-POST binding, confirming these were the vulnerable parsing points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** p**k*** *o*s not v*li**t* t** **S Lo**tion URI ***or*in* to t** S*ML *in*in* **in* p*rs**. I* **us**, t*is *l*w *llows *tt**k*rs to r**ist*r m*li*ious S*rvi** Provi**rs *t t** I*P *n* inj**t J*v*s*ript in t** **S *n*point ***inition,

Reasoning

T** vuln*r**ility st*ms *rom missin* URI s***m* v*li**tion *urin* XML unm*rs**lin* o* S*ML *n*points. T** *ommit ***s `****k*n*pointLo**tion` v*li**tion *n* impl*m*nts it in `Unm*rs**lXML` m*t*o*s *or *ot* `*n*point` *n* `In**x***n*point` typ*s. T**

7.1

Basic Information

Concerned about an active attack path?

CVE-2023-45683: Cross-site Scripting via missing Binding syntax validation

Impact

Patches

Workarounds

References

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI