CVE-2023-40519

Name of the Vulnerable Software and Affected Versions Broadpeak Centralized Accounts Management Auth Agent versions 00.12.01.9565588 1254b459, 01.01.00.19219575 ee9195b0, 01.01.01.30097902 fd999e76

Description A cross-site scripting (XSS) issue in the bpk-common/auth/login/index.html login portal allows remote attackers to inject arbitrary web script or HTML via the disconnectMessage parameter. This enables attackers to potentially execute malicious scripts on the client-side.

Recommendations For Broadpeak Centralized Accounts Management Auth Agent versions 00.12.01.9565588 1254b459, 01.01.00.19219575 ee9195b0, 01.01.01.30097902 fd999e76, consider restricting access to the disconnectMessage parameter in the login portal to minimize the risk of exploitation. As a temporary workaround, avoid using the disconnectMessage parameter in the affected login portal until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.