{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T09:46:49.679","vulnerabilities":[{"cve":{"id":"CVE-2023-49111","sourceIdentifier":"551230f0-3615-47bd-b7cc-93e92e730bbf","published":"2024-06-20T13:15:49.380","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"For Kiuwan installations with SSO (single sign-on) enabled, an \nunauthenticated reflected cross-site scripting attack can be performed \non the login page \"login.html\". This is possible due to the request parameter \"message\" values\n being directly included in a JavaScript block in the response. This is \nespecially critical in business environments using AD SSO \nauthentication, e.g. via ADFS, where attackers could potentially steal \nAD passwords.\n\n\n\nThis issue affects Kiuwan SAST: <master.1808.p685.q13371"},{"lang":"es","value":"Para las instalaciones de Kiuwan con SSO (inicio de sesión único) habilitado, se puede realizar un ataque de  Cross Site Scripting reflejado no autenticado en la página de inicio de sesión \"login.html\". Esto es posible debido a que los valores de \"mensaje\" del parámetro de solicitud se incluyen directamente en un bloque de JavaScript en la respuesta. Esto es especialmente crítico en entornos empresariales que utilizan autenticación AD SSO, por ejemplo, a través de ADFS, donde los atacantes podrían potencialmente robar contraseñas de AD. Este problema afecta a Kiuwan SAST: "}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://r.sec-consult.com/kiuwan","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"http://seclists.org/fulldisclosure/2024/Jun/3","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://r.sec-consult.com/kiuwan","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}