CVE-2009-3300

Internet2 Identity Provider - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.

References (5)

[Vendor Advisory] http://secunia.com/advisories/37237

[Vendor Advisory] http://shibboleth.internet2.edu/secadv/secadv_20091104.txt

[Vendor Advisory] http://www.vupen.com/english/advisories/2009/3150

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54140

[Third Party Advisory] http://www.debian.org/security/2009/dsa-1947

Scores

EPSS 0.0032

EPSS Percentile 54.7%

Classification

CWE

CWE-79

Status published

Affected Products (17)

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/identity_provider

internet2/service_provider

internet2/service_provider

internet2/service_provider

internet2/service_provider

internet2/service_provider

internet2/service_provider

... and 2 more

Timeline

Published Nov 06, 2009

Tracked Since Feb 18, 2026