Unrated severityNVD Advisory· Published Nov 6, 2009· Updated Jun 16, 2026
CVE-2009-3300
CVE-2009-3300
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.
Affected products
17cpe:2.3:a:internet2:identity_provider:1.3:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:internet2:identity_provider:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:identity_provider:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:internet2:service_provider:1.3:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:internet2:service_provider:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:service_provider:2.2:*:*:*:*:*:*:*
- Range: Identity Provider 1.3 < 1.3.4 and 2.x < 2.1.5; Service Provider 1.3 < 1.3.5 and 2.x < 2.3
Patches
Vulnerability mechanics
References
5- secunia.com/advisories/37237nvdVendor Advisory
- shibboleth.internet2.edu/secadv/secadv_20091104.txtnvdVendor Advisory
- www.vupen.com/english/advisories/2009/3150nvdVendor Advisory
- www.debian.org/security/2009/dsa-1947nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/54140nvd
News mentions
0No linked articles in our index yet.