One low-risk vulnerability was discovered within the SecureAuth IdP v9.3 application. This vulnerability could allow malicious high-privilege users to modify usernames to contain an Angular template payload that could potentially be used to steal credentials during the authentication process.
The SecureAuth application was affected by a client-side template injection vulnerability that can lead to cross-site scripting (XSS) attacks.
SecureAuth is an enterprise identity and access-management service. The project’s official website is https://www.secureauth.com/. The latest version of the application is 9.3.0-17, released on June 5, 2020.
One vulnerability was identified within the SecureAuth application:
Update to version 9.3.0-17
This vulnerability is described in the following sections.
Client-Side Template Injection
/SecureAuth.aspx endpoint's rendering of user-controlled username and email values is vulnerable to AngularJS client-side template injection. XSS payloads contained in the username or email can be executed during the authentication process.
The username containing the payload was used to log in, as shown in the request below:
POST /[REDACTED]/SecureAuth.aspx?client_id=[REDACTED] …omitted for brevity…
Figure 2 – SecureAuth login request
After submitting the request, the payload executed on the page, as shown below:
The payload triggered as an error during the sign-in process, resulting in self-XSS. Alternatively, an attacker could change the email address of another user, such as a malicious administrator, and would be able to use this attack to perform XSS against users during authentication.
- Initial discovery: 02/20/2020
- Contact with vendor: 02/24/2020
- Vendor acknowledged vulnerabilities: 02/24/2020
- Vendor released patched version 9.3.0-17: 06/05/2020
- Vulnerability publicly disclosed: 06/19/2020
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.