openid-connect-server is vulnerable to cross-site scripting (XSS). The vulnerability exists as the value of userInfoJson
was not sanitized when displayed in header.tag
.
CPE | Name | Operator | Version |
---|---|---|---|
openid connect server library | le | 1.3.3 | |
openid connect server library | le | 1.3.3 |
packetstormsecurity.com/files/156574/MITREid-1.3.3-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2020/Feb/25
github.com/advisories/GHSA-c2h6-7gm8-cv4w
github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521
www.securitymetrics.com/blog/MITREid-Connect-cross-site-scripting-CVE-2020-5497