CVE-2017-18121

Vulnerability

The consentAdmin module in SimpleSAMLphp versions through 1.14.15 is vulnerable to a Cross-Site Scripting (XSS) attack [1]. The module allows users to view and manage consents given to third-party services. The logout link on the consent management page was constructed using the current URL without proper sanitization, enabling an attacker to inject arbitrary JavaScript [3].

Exploitation

An attacker can craft a malicious URL containing JavaScript code and trick a victim into clicking it. The victim must be logged into the SimpleSAMLphp Identity Provider with the consentAdmin module enabled and configured. No authentication or special privileges are required to create the malicious link [3].

Impact

Successful exploitation executes the attacker's JavaScript in the victim's browser within the context of the SimpleSAMLphp site. This can lead to session hijacking, data theft, or other malicious actions. The attacker gains the ability to perform actions on behalf of the victim, potentially compromising sensitive information [3].

Mitigation

Upgrade to SimpleSAMLphp version 1.15.0 or later, which fixes the issue by building the logout link manually instead of using the current URL [3]. If an upgrade is not immediately possible, disable the consentAdmin module until the upgrade can be performed [3].