Cross-Site Scripting Vulnerability in SAML Metadata Endpoint
A Cross-Site Scripting (XSS) vulnerability was identified in the SAML metadata endpoint of lunary-ai/lunary version 1.2.7. The vulnerability arises from improper validation and escaping of the 'orgId' parameter, allowing attackers to inject malicious scripts. This issue was not explicitly mentioned as patched in the provided data, suggesting the need for immediate attention.
Available publicly on May 31 2024
Remediation Steps
- Ensure input validation is implemented for the 'orgId' parameter to restrict it to expected formats.
- Apply proper output encoding when dynamically generating XML responses to prevent injection of arbitrary content.
- Regularly audit and update dependencies and frameworks used by the application to mitigate known vulnerabilities.
- Implement Content Security Policy (CSP) headers to reduce the impact of XSS vulnerabilities by restricting the sources from which scripts can be executed.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.