CVE-2020-5497 – org.mitre:openid-connect-server

Package

Manager: maven
Name: org.mitre:openid-connect-server
Vulnerable Version: >=0 <=1.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00571 pctl0.67658

Details

XSS in MITREid Connect The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.

Metadata

Created: 2020-04-01T16:35:44Z
Modified: 2023-01-24T18:07:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-c2h6-7gm8-cv4w/GHSA-c2h6-7gm8-cv4w.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-c2h6-7gm8-cv4w
Finding: F425
Auto approve: 1