Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2020-5497 - MITREid Connect XSS

Related Vulnerabilities: CVE-2020-5497  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="24"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#25">By Date</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="24"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#25">By Thread</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2020-5497 - MITREid Connect XSS</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: aaron bishop &lt;abishop () linux com&gt;


<em>Date</em>: Fri, 21 Feb 2020 13:45:51 -0700


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">MITREid Connect OpenID-Connect-Java-Spring-Server
&lt;<a rel="nofollow" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server</a>&gt; version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized.  A user
can set their name to a value like:

Test&lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;

Which will be included in JSON used by a JavaScript function in *header.tag*
:

// get the info of the current user, if available (null otherwise)
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">    function getUserInfo() {
        return {"sub":"12318767","name":"
*Test&lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;*
Test","preferred_username":"Test","given_name":"Test&lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;","family_name":"Test","email":"
test () test com","email_verified":true};}
</pre></blockquote><pre style="margin: 0em;">

A name such as:

Test&lt;script&gt;alert(1)&lt;/script&gt;

would also work; it is included in the page when menus are created by
*topbar.tag*:

&lt;!-- use a simplified user button system when collapsed --&gt;
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">&lt;ul class="nav hidden-desktop"&gt;
&lt;li&gt;&lt;a href="manage/#user/profile"&gt;*Test&lt;script&gt;alert(1)&lt;/script&gt;*
Test&lt;/a&gt;&lt;/li&gt;
&lt;li class="divider"&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="" class="logoutLink"&gt;&lt;i class="icon-remove"&gt;&lt;/i&gt; Log
out&lt;/a&gt;&lt;/li&gt;
</pre></blockquote><pre style="margin: 0em;">

This issue has been reported on Github
&lt;<a rel="nofollow" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521</a>&gt;
with
patches pending.

A write up is available at:
<a rel="nofollow" href="https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497">https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="24"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#25">By Date</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="24"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#25">By Thread</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2020-5497 - MITREid Connect XSS</strong> <em>aaron bishop (Feb 27)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started