lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 Feb 2020 13:45:51 -0700
From: aaron bishop <>
Subject: [FD] CVE-2020-5497 - MITREid Connect XSS

MITREid Connect OpenID-Connect-Java-Spring-Server
<> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized.  A user
can set their name to a value like:


Which will be included in JSON used by a JavaScript function in *header.tag*

// get the info of the current user, if available (null otherwise)
>     function getUserInfo() {
>         return {"sub":"12318767","name":"
> *Test</script><script>alert(1)</script>*
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"

A name such as:


would also work; it is included in the page when menus are created by

<!-- use a simplified user button system when collapsed -->
> <ul class="nav hidden-desktop">
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
> Test</a></li>
> <li class="divider"></li>
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
> out</a></li>

This issue has been reported on Github
patches pending.

A write up is available at:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists