Medium

lunary

Broken Access Control in SAML Functionality

A broken access control vulnerability was identified in the latest version of the software, allowing users from one organization to update the IDP and view metadata of another organization. This issue has not yet been patched.

Available publicly on Jul 12 2024

6.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

d47secc
Remediation Steps
  • Implement proper access control checks to ensure that users can only update and view the IDP settings of their own organization.
  • Validate the organization ID in the token against the organization ID in the request.
  • Conduct a thorough security review of the SAML functionality to identify and fix similar issues.
  • Release a patched version of the software and notify affected users to update immediately.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.