MITREid Connect OpenID-Connect-Java-Spring-Server  
<> version  
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is  
included in *topbar.tag* and *header.tag* without being sanitized. A user  
can set their name to a value like:  
Which will be included in JSON used by a JavaScript function in *header.tag*  
// get the info of the current user, if available (null otherwise)  
> function getUserInfo() {  
> return {"sub":"12318767","name":"  
> *Test</script><script>alert(1)</script>*  
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"  
A name such as:  
would also work; it is included in the page when menus are created by  
<!-- use a simplified user button system when collapsed -->  
> <ul class="nav hidden-desktop">  
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*  
> Test</a></li>  
> <li class="divider"></li>  
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log  
> out</a></li>  
This issue has been reported on Github  
patches pending.  
A write up is available at: