FKIE_CVE-2024-0981

Vulnerability from fkie_nvd - Published: 2024-07-23 21:15 - Updated: 2024-11-21 08:47
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Summary
Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox.
References
psirt@okta.comhttps://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981
af854a3a-2127-422b-91ae-364da2661108https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."
    },
    {
      "lang": "es",
      "value": "Las versiones 6.5.0 a 6.31.0 de Okta Browser Plugin (Chrome/Edge/Firefox/Safari) son vulnerables a Cross Site Scripting. Este problema ocurre cuando el complemento solicita al usuario que guarde estas credenciales en Okta Personal. Se implement\u00f3 una soluci\u00f3n para escapar correctamente de estos campos, solucionando la vulnerabilidad. Es importante destacar que si Okta Personal no se agrega al complemento para habilitar la vista de m\u00faltiples cuentas, el complemento Workforce Identity Cloud no se ve afectado por este problema. La vulnerabilidad se solucion\u00f3 en Okta Browser Plugin versi\u00f3n 6.32.0 para Chrome/Edge/Safari/Firefox."
    }
  ],
  "id": "CVE-2024-0981",
  "lastModified": "2024-11-21T08:47:56.900",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "psirt@okta.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-23T21:15:12.773",
  "references": [
    {
      "source": "psirt@okta.com",
      "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"
    }
  ],
  "sourceIdentifier": "psirt@okta.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "psirt@okta.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.