CVE-2019-19381

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Abacus OAuth Login versions 2019 prior to R4 (20.11.2019 Hotfix) and 2018 prior to R6 (20.11.2019 SP) when running with AbaWebServer (jetty) instead of AbaSioux. The flaw resides in the endpoint oauth/oauth2/v1/saml/. An attacker can inject arbitrary client-side code by providing a malicious error message that is echoed back to the user in the HTTP response without proper encoding [2].

Exploitation

The attacker does not need prior authentication; the vulnerability is remotely exploitable. The attacker crafts a URL containing a malicious JavaScript payload in the error message parameter of the SAML login page. When a victim visits this URL, the payload is reflected in the resulting HTML and executed in the victim's browser context. No special network position is required beyond the ability to deliver the crafted link to the target [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's session. This can lead to session hijacking, credential theft, or defacement. The injected code runs with the privileges of the authenticated user and can access any data or functionality available to that user within the application [2].

Mitigation

The vendor released a fix in R4 (20.11.2019 Hotfix) for version 2019 and R6 (20.11.2019 SP) for version 2018. Users should immediately upgrade to these patched versions. Applying the fix ensures user-provided input is properly encoded before being displayed back. Using AbaSioux instead of AbaWebServer (jetty) also prevents the vulnerability [2].