[midPoint] Security Advisory: Stored XSS Vulnerability In fullName and displayName
Tony Tkacik
tony.tkacik at evolveum.com
Thu Sep 21 17:04:38 CEST 2023
Date: 20. 9. 2023
Severity: High
Affected versions: 4.7, 4.7.1
Fixed in versions: 4.7.2, 4.8 (unreleased)
Description
Cross-site scripting (XSS) vulnerability exists in change preview and audit log of midPoint user interface, namely via organization displayName and user fullName.
Severity and Impact
Malicious user can execute arbitrary scripts (e.g. Java Script) as part of midPoint web-based user interface.
This vulnerability exists in displayName for all objects, including name of the organization/organizational unit.
Exploiting this vulnerability requires administrative privileges.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release.
Discussion and Explanation
MIdPoint user interface is based on Apache Wicket web framework.
Proper use of Wicket web framework protects against most XSS-related vulnerabilities.
However, one part of midPoint code was using the Wicket framework improperly, therefore opening XSS vulnerability.
The vulnerability could be exploited by fabricating displayName of organizational unit, or in fact any display name of a multi-value container.
Credit
This issue was reported by Radically Open Security as part of NGI Zero Review program.
This advisory is also available at: [ https://docs.evolveum.com/midpoint/reference/security/advisories/019-xss-in-fullName-displayName/ | https://docs.evolveum.com/midpoint/reference/security/advisories/019-xss-in-fullName-displayName/ ]
--
Anton Tkáčik
Software Developer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230921/f7fd5fd3/attachment.htm>
More information about the midPoint
mailing list