Okta Patches Cross-Site Scripting Flaw (CVE-2024-0981) in Browser Plugin

by do son · Published July 22, 2024 · Updated July 22, 2024

Okta, a leading identity and access management provider, has recently patched a high-severity cross-site scripting (XSS) vulnerability (CVE-2024-0981) in its browser plugin. This vulnerability affected versions 6.5.0 through 6.31.0 of the Okta Browser Plugin for Chrome, Edge, Firefox, and Safari, potentially exposing users’ sensitive data to malicious actors.

Cross-site scripting is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can then be executed in the victim’s browser, potentially allowing the attacker to steal sensitive information, impersonate the user, or take control of their account.

The vulnerability in the Okta Browser Plugin occurred when a user inputted new credentials and the plugin prompted to save them within Okta Personal. If Okta Personal was added to the Okta Browser Plugin to enable multi-account view, an attacker could exploit the vulnerability to inject malicious code into the plugin’s prompt, which would then be executed in the victim’s browser.

Okta users and customers who had installed versions 6.5.0 through 6.31.0 of the Okta Browser Plugin for Chrome, Edge, Firefox, and Safari and added Okta Personal to enable multi-account view were potentially affected by this vulnerability.

Okta has released a fix for the CVE-2024-0981 vulnerability in Okta Browser Plugin version 6.32.0 for Chrome/Edge/Safari. All users are strongly advised to update their Okta Browser Plugin to the latest version as soon as possible.

Okta Admin Users can use the following query to search for users who are still using outdated versions of the plugin:

debugContext.debugData.oktaUserAgentExtended ne "okta-browser-plugin/6.32.0" and debugContext.debugData.oktaUserAgentExtended co "okta-browser-plugin/"