Cross-site Scripting in Apache Knox SSO
Moderate severity
GitHub Reviewed
Published
Jan 21, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Package
Affected versions
< 1.6.1
Patched versions
1.6.1
Description
Published by the National Vulnerability Database
Jan 17, 2022
Reviewed
Jan 19, 2022
Published to the GitHub Advisory Database
Jan 21, 2022
Last updated
Feb 3, 2023
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
References