CVE-2021-28963 Information

Description

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

https://shibboleth.net/community/advisories/secadv_20210317.txt https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=d1dbebfadc1bdb824fea63843c4c38fa69e54379 https://issues.shibboleth.net/jira/browse/SSPCPP-922 https://bugs.debian.org/985405 https://www.debian.org/security/2021/dsa-4872

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3