{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0981", "assignerOrgId": "59b22baa-87b2-4371-8e4a-e080df12f74a", "state": "PUBLISHED", "assignerShortName": "Okta", "dateReserved": "2024-01-26T22:42:26.526Z", "datePublished": "2024-07-23T20:49:31.774Z", "dateUpdated": "2024-08-01T18:26:30.219Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Okta Browser Plugin", "vendor": "Okta", "versions": [{"version": "6.5.0 through 6.31.0", "status": "affected", "versionType": "semver"}, {"version": "6.32.0", "status": "unaffected", "versionType": "semver"}]}], "datePublic": "2024-07-23T21:00:00.000Z", "descriptions": [{"lang": "en", "value": "Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "59b22baa-87b2-4371-8e4a-e080df12f74a", "shortName": "Okta", "dateUpdated": "2024-07-23T20:53:13.772Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"}], "solutions": [{"lang": "en", "value": "The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T13:21:12.411913Z", "id": "CVE-2024-0981", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:55:53.987Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.219Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.219Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0981", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T13:21:12.411913Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T17:55:45.873Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Okta", "product": "Okta Browser Plugin", "versions": [{"status": "affected", "version": "6.5.0 through 6.31.0", "versionType": "semver"}, {"status": "unaffected", "version": "6.32.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}], "datePublic": "2024-07-23T21:00:00.000Z", "references": [{"url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"}]}], "providerMetadata": {"orgId": "59b22baa-87b2-4371-8e4a-e080df12f74a", "shortName": "Okta", "dateUpdated": "2024-07-23T20:53:13.772Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0981", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:26:30.219Z", "dateReserved": "2024-01-26T22:42:26.526Z", "assignerOrgId": "59b22baa-87b2-4371-8e4a-e080df12f74a", "datePublished": "2024-07-23T20:49:31.774Z", "assignerShortName": "Okta"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox."}, {"lang": "es", "value": "Las versiones 6.5.0 a 6.31.0 de Okta Browser Plugin (Chrome/Edge/Firefox/Safari) son vulnerables a Cross Site Scripting. Este problema ocurre cuando el complemento solicita al usuario que guarde estas credenciales en Okta Personal. Se implement\u00f3 una soluci\u00f3n para escapar correctamente de estos campos, solucionando la vulnerabilidad. Es importante destacar que si Okta Personal no se agrega al complemento para habilitar la vista de m\u00faltiples cuentas, el complemento Workforce Identity Cloud no se ve afectado por este problema. La vulnerabilidad se solucion\u00f3 en Okta Browser Plugin versi\u00f3n 6.32.0 para Chrome/Edge/Safari/Firefox."}], "id": "CVE-2024-0981", "lastModified": "2024-11-21T08:47:56.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "psirt@okta.com", "type": "Secondary"}]}, "published": "2024-07-23T21:15:12.773", "references": [{"source": "psirt@okta.com", "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981"}], "sourceIdentifier": "psirt@okta.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@okta.com", "type": "Secondary"}]}

{}

{}