OpenConext-EngineBlock 5.7.3 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
XSS vulnerabilities were found in multiple pages that allows an attacker to  
inject arbitrary web scripts.  
  
The Twig PHP extension configuration was not sanitizing user input before  
display it to the user.  
  
Issues fixed in version 5.7.4 and 5.8.0. Git commit here:  
https://github.com/OpenConext/OpenConext-engineblock/pull/566  
  
PoC URLs:  
https://engine.example.org/authentication/idp/help-discover?%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E  
https://engine.example.org/authentication/idp/single-sign-on?%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E  
  
CVE assigned: CVE-2018-1000611  
  
Timeline:  
- - - 2018-06-29: Notified SURFnet about the vulnerability  
- - - 2018-07-04: Patch pull request created on Github  
- - - 2018-07-04: CVE Requested  
- - - 2018-07-05: Patch was merged on Github  
- - - 2018-07-12: Announcing on Full Disclosure  
-----BEGIN PGP SIGNATURE-----  
  
iQE9BAEBCgAnIBxBbmRyZXcgS2xhdXMgPGFuZHJld0Bha2xhdXMuY2E+BQJbR6ae  
AAoJEFYqtOvsX+ttmS0H/AorN3q5I3GmVUcjEYhwym1E/VJVFD1vfPQQf/XGtXdu  
O9qPjfVFmuCG1jXItLJmtUEDVU/HI8bLubyvhFzrvGB4tyJ8Y5mMR2GTBvQ3+o4W  
ckgw7wcMGWiVNEjvddgGlALg0W8eC23NoZoi92J5Cg8Ni3+ARvt6j/7sRp4Jn+Kp  
x2h8GeoPSp920QMoTYrehh16W/bRNRz/a9Y63UfNLSqv4DmZsMoa9NzA91T0GexP  
MHpObqbf6arQ5UzFKKF/UUsrQ8aiAL7tKsrhHs+byZZoiuHw/18eLeY82UKN8ocD  
ysrciARYDc53T0slM9wJZ6zy8XHghKjIUV9QmFstNUk=  
=rdVB  
-----END PGP SIGNATURE-----  
  
  
`