Cyber Security News

[Cyware] Okta Browser Plugin Reflected Cross-Site Scripting CVE-2024-0981

Cyware

Summary: The Okta Browser Plugin versions 6.5.0 through 6.31.0 are vulnerable to cross-site scripting, specifically when users are prompted to save credentials in Okta Personal. A fix has been implemented in version 6.32.0 to address this vulnerability, which primarily affects users who have enabled multi-account view.

Threat Actor: Unknown | unknown
Victim: Okta users | Okta users

Key Point :

  • Vulnerability affects Okta Browser Plugin versions 6.5.0 to 6.31.0 when using Okta Personal.
  • A fix was released in version 6.32.0 for Chrome, Edge, Firefox, and Safari.
  • Users can identify outdated plugin versions using a specific query.
  • The CVE for this vulnerability is CVE-2024-0981, with a CVSS score of 7.1.

Description

Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue.

Affected product and versions

Okta users and customers that have currently installed versions 6.5.0 through 6.31.0 of the Okta Browser Plugin for Chrome, Edge, Firefox, and Safari and added Okta Personal to enable multi-account view.

Resolution

The vulnerability is fixed in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari/Firefox.

Okta Admin Users can use the following query to search for users who are still using outdated versions of the plugin: debugContext.debugData.oktaUserAgentExtended ne "okta-browser-plugin/6.32.0" and debugContext.debugData.oktaUserAgentExtended co "okta-browser-plugin/"

Severity Details

This issue occurred when a user inputted new credentials and the plugin prompted to save these within Okta Personal. If Okta Personal was not added to the Okta Browser Plugin, the plugin is not affected by this issue.

CVE details

CVE ID

CVE-2024-0981

Published Date

2024-07-22

Vulnerability Type

Cross-site Scripting

CWE

CWE-79

CVSS v3

Score: 7.1

Vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Source: https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981