CVE-2023-49111 in SAST
Summary
by MITRE • 06/20/2024
For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated reflected cross-site scripting attack can be performed on the login page "login.html". This is possible due to the request parameter "message" values being directly included in a JavaScript block in the response. This is especially critical in business environments using AD SSO authentication, e.g. via ADFS, where attackers could potentially steal AD passwords.
This issue affects Kiuwan SAST: <master.1808.p685.q13371
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
The vulnerability identified as CVE-2023-49111 represents a critical reflected cross-site scripting flaw within Kiuwan's single sign-on implementation that directly impacts the login page functionality. This security weakness specifically targets the login.html page where the application fails to properly sanitize user-supplied input parameters, creating an avenue for malicious actors to inject arbitrary JavaScript code into the victim's browser session. The vulnerability manifests through the message parameter which is directly embedded into JavaScript blocks within the server response without adequate input validation or output encoding mechanisms. This flaw particularly affects organizations utilizing Active Directory SSO authentication methods including ADFS implementations, where the potential for credential theft becomes significantly elevated due to the compromised authentication flow.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious URL containing crafted JavaScript payload within the message parameter and delivers it to a victim through social engineering or other means. When the victim's browser loads the login page with this malicious parameter, the JavaScript code executes within the context of the victim's session, potentially allowing attackers to steal session cookies, capture authentication tokens, or redirect users to malicious sites. The reflected nature of this XSS vulnerability means that the malicious payload is not stored on the server but rather reflected back to the user in the page response, making it particularly challenging to detect through traditional security scanning methods. This vulnerability directly maps to CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding practices. The impact is amplified in enterprise environments where SSO systems are prevalent, as attackers can leverage this vulnerability to potentially escalate privileges and gain unauthorized access to corporate authentication systems.
Organizations utilizing Kiuwan SAST with SSO enabled face significant operational risks from this vulnerability, particularly those relying on AD SSO implementations such as ADFS. The potential for credential theft and session hijacking creates a substantial threat surface that could lead to unauthorized access to sensitive corporate systems and data. Attackers could exploit this vulnerability to capture AD passwords during the authentication process, potentially gaining access to entire corporate networks through compromised user credentials. The impact extends beyond individual user sessions to potentially compromise entire authentication infrastructures, especially in environments where SSO is used as a primary authentication mechanism. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering tactics, and T1078 which addresses valid accounts usage, as attackers could leverage stolen session information to maintain persistent access to systems.
The recommended mitigations for CVE-2023-49111 focus on implementing proper input validation and output encoding mechanisms to prevent JavaScript injection in the login page response. Organizations should immediately patch their Kiuwan installations to the latest version that addresses this vulnerability, as provided by the vendor. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against XSS attacks by restricting the sources from which scripts can be executed. Input sanitization should be implemented to ensure that all user-supplied parameters, particularly those used in dynamic JavaScript generation, are properly validated and escaped. Network-level protections such as web application firewalls can help detect and block malicious payloads attempting to exploit this vulnerability. Organizations should also consider implementing monitoring solutions to detect unusual patterns in login page access and parameter usage that might indicate attempted exploitation of this vulnerability. The remediation process should include comprehensive testing to ensure that the patch effectively addresses the reflected XSS condition while maintaining the intended functionality of the SSO login page.