Full Disclosure mailing list archives
CVE-2020-5497 - MITREid Connect XSS
From: aaron bishop <abishop () linux com>
Date: Fri, 21 Feb 2020 13:45:51 -0700
MITREid Connect OpenID-Connect-Java-Spring-Server <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version 1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is included in *topbar.tag* and *header.tag* without being sanitized. A user can set their name to a value like: Test</script><script>alert(1)</script> Which will be included in JSON used by a JavaScript function in *header.tag* : // get the info of the current user, if available (null otherwise)
function getUserInfo() { return {"sub":"12318767","name":" *Test</script><script>alert(1)</script>* Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":" test () test com","email_verified":true};}
A name such as: Test<script>alert(1)</script> would also work; it is included in the page when menus are created by *topbar.tag*: <!-- use a simplified user button system when collapsed -->
<ul class="nav hidden-desktop"> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>* Test</a></li> <li class="divider"></li> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log out</a></li>
This issue has been reported on Github <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521> with patches pending. A write up is available at: https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2020-5497 - MITREid Connect XSS aaron bishop (Feb 27)