diff --git a/.werks/17094 b/.werks/17094
new file mode 100644
index 00000000000..c28686908c2
--- /dev/null
+++ b/.werks/17094
@@ -0,0 +1,24 @@
+Title: Fix XSS on SAML login screen
+Class: security
+Compatible: compat
+Component: wato
+Date: 1725549833
+Edition: cee
+Level: 1
+Version: 2.2.0p34
+
+Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page.
+This could facilitate phishing attacks by tricking users into clicking malicious links.
+
+Links in the error message are now escaped and no longer clickable.
+
+This issue was identified during internal review.
+
+Affected Versions:
+
+LI: 2.3.0
+LI: 2.2.0
+
+Vulnerability Management:
+
+We have rated the issue with a CVSS Score of 5.1 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
) and assigned CVE-2024-38860
.
diff --git a/cmk/gui/utils/login.py b/cmk/gui/utils/login.py
index 830b64361b7..28d97bb9a39 100644
--- a/cmk/gui/utils/login.py
+++ b/cmk/gui/utils/login.py
@@ -11,6 +11,7 @@
from cmk.gui.http import request
from cmk.gui.i18n import _
from cmk.gui.userdb.type_defs import RelayState
+from cmk.gui.utils.escaping import escape_text
from cmk.gui.utils.urls import makeuri_contextless
from cmk.gui.utils.user_errors import user_errors
@@ -35,7 +36,9 @@ def show_saml2_login(
saml_css_class = []
html.close_div()
if (
- saml2_user_error := request.get_str_input("_saml2_user_error")
+ saml2_user_error := escape_text(
+ request.get_str_input("_saml2_user_error"), escape_links=True
+ )
) and request.get_str_input("_connection_id") == connection["id"]:
user_errors.add(
MKUserError(