Vulnerability Description
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mitreid | Connect | <= 1.3.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/156574/MITREid-1.3.3-Cross-Site-Scripting.hExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Feb/25Mailing ListThird Party Advisory
- https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521ExploitIssue TrackingThird Party Advisory
- https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-20ExploitThird Party Advisory
- http://packetstormsecurity.com/files/156574/MITREid-1.3.3-Cross-Site-Scripting.hExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Feb/25Mailing ListThird Party Advisory
- https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521ExploitIssue TrackingThird Party Advisory
- https://www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-20ExploitThird Party Advisory
FAQ
What is CVE-2020-5497?
CVE-2020-5497 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exp...
How severe is CVE-2020-5497?
CVE-2020-5497 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5497?
Check the references section above for vendor advisories and patch information. Affected products include: Mitreid Connect.