Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Gauge low severity reading



One low-risk vulnerability was discovered within the SecureAuth IdP v9.3 application. This vulnerability could allow malicious high-privilege users to modify usernames to contain an Angular template payload that could potentially be used to steal credentials during the authentication process.


The SecureAuth application was affected by a client-side template injection vulnerability that can lead to cross-site scripting (XSS) attacks.

Risk Level


Affected Vendor

Product Vendor

Product Name

Affected Version

SecureAuth SecureAuth 9.3

Product Description

SecureAuth is an enterprise identity and access-management service. The project’s official website is The latest version of the application is 9.3.0-17, released on June 5, 2020.

Vulnerabilities List:

One vulnerability was identified within the SecureAuth application:



Update to version 9.3.0-17

This vulnerability is described in the following sections.


Client-Side Template Injection


Security Risk


Access Vector

CVE-2020-9437 Low Cross-site scripting Remote

The /SecureAuth.aspx endpoint's rendering of user-controlled username and email values is vulnerable to AngularJS client-side template injection. XSS payloads contained in the username or email can be executed during the authentication process.

The following AngularJS expression was used to execute a proof-of-concept Javascript payload:


The username containing the payload was used to log in, as shown in the request below:

POST /[REDACTED]/SecureAuth.aspx?client_id=[REDACTED]
…omitted for brevity…

Figure 2 – SecureAuth login request

After submitting the request, the payload executed on the page, as shown below:

JavaScript alerting window.location

Figure 3 JavaScript alerting window.location

The payload triggered as an error during the sign-in process, resulting in self-XSS. Alternatively, an attacker could change the email address of another user, such as a malicious administrator, and would be able to use this attack to perform XSS against users during authentication.


Chris Davis, Consultant, Bishop Fox ([email protected])
Robert Punnett, Senior Consultant, Bishop Fox ([email protected])


  1. Initial discovery: 02/20/2020
  2. Contact with vendor: 02/24/2020
  3. Vendor acknowledged vulnerabilities: 02/24/2020
  4. Vendor released patched version 9.3.0-17: 06/05/2020
  5. Vulnerability publicly disclosed: 06/19/2020

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

Robert punnett

About the author, Robert Punnett

Managing Security Consultant

Robert Punnett (OSCP) is a Managing Security Consultant Bishop Fox. His primary areas of expertise are external network penetration testing, web application assessments, and red teaming. Additionally, Robert is an independent security researcher who participates in bug bounty programs and has also led security teams for Fortune 500 companies in the retail and transportation spaces.

More by Robert

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.