Page Comparison

...

Date published	08 Nov 2023
Summary	SAML POST binding vulnerable to Cross-site scripting (XSS) through URL parameters
Affected apps	Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo
Affected versions	All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0
Affected product feature	Identity Providers > SAML > Advanced SAML Settings > POST binding
Patched versions	Starting from 6.20.0. Backport patch: 5.11.5

...

Affected apps

Vulnerability criteria

Fixes

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Server

If you are running SAML with POST binding: All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Server

If you are running SAML with POST binding: All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Server

If you are running SAML with POST binding: All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Server

Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center

If you are running SAML with POST binding: All versions between 4.4.2 - 4.14.8, 5.0.0 - 5.11.4 and 6.0.0 - 6.19.0

If you are running SAML with POST binding: All versions between 5.6.2 - 6.19.0

Option 1: Update Kantega SSO Enterprise to version >= 6.20.0 or to backport version 5.11.5

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru

If you are running SAML with POST binding: All versions >= between 4.4.2 - 4.14.8

Option 1: Downgrade Kantega SSO Enterprise to version 4.4.1 or temporarily workaround and wait for update to 4.14.9 (we are working on a backport, it will be available soon)

Option 2: Disable POST binding in advanced SAML settings and use default redirect binding

Option 3: Configure a new Identity provider using OpenID Connect and disable SAML

...

Versions Compared

Old Version 14

New Version 15

Key