[midPoint] Security Advisory: Stored XSS Vulnerability In fullName and displayName

[Tony Tkacik]

Date: 20. 9. 2023 
Severity: High 
Affected versions: 4.7, 4.7.1 
Fixed in versions: 4.7.2, 4.8 (unreleased) 


Description 

Cross-site scripting (XSS) vulnerability exists in change preview and audit log of midPoint user interface, namely via organization displayName and user fullName. 

Severity and Impact 

Malicious user can execute arbitrary scripts (e.g. Java Script) as part of midPoint web-based user interface. 
This vulnerability exists in displayName for all objects, including name of the organization/organizational unit. 
Exploiting this vulnerability requires administrative privileges. 


Mitigation 

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release. 

Discussion and Explanation 

MIdPoint user interface is based on Apache Wicket web framework. 
Proper use of Wicket web framework protects against most XSS-related vulnerabilities. 
However, one part of midPoint code was using the Wicket framework improperly, therefore opening XSS vulnerability. 
The vulnerability could be exploited by fabricating displayName of organizational unit, or in fact any display name of a multi-value container. 


Credit 

This issue was reported by Radically Open Security as part of NGI Zero Review program. 


This advisory is also available at: [ https://docs.evolveum.com/midpoint/reference/security/advisories/019-xss-in-fullName-displayName/ | https://docs.evolveum.com/midpoint/reference/security/advisories/019-xss-in-fullName-displayName/ ] 

-- 
Anton Tkáčik
Software Developer
evolveum.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230921/f7fd5fd3/attachment.htm>