logo

Database

Reflected cross-site scripting (XSS) In org.openidentityplatform.openam:openam-federation-library

Description

OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via FSUtils.postToTarget

Summary

Certain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-447932. NVD-2026-447933. OSV-2026-447934. GHSA-fhrq-3gmx-p8795. GCVE-2026-44793

References

1. https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fhrq-3gmx-p8792. https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.