<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Date: 30 August 2019<br>
Severity: Medium (CVSS 4.3)<br>
Affected versions: all released midPoint versions<br>
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1
(unreleased), 3.7.3 (unreleased)<br>
<br>
Description<br>
<br>
Stored cross-site scripting (XSS) vulnerability exists in midPoint
user interface that can be exploited by manipulation of object
'name' property.<br>
<br>
Severity and Impact<br>
<br>
Attacker needs authorization to change object names in midPoint.
Such authorization is usually granted only to administrators and
other privileged users. Only "Repository objects" page is affected.<br>
<br>
Mitigation<br>
<br>
Users of affected MidPoint versions are advised to upgrade their
deployments to the latest builds from the support branches. <br>
<br>
As this is a medium severity issue, it is not forcing official
maintenance releases of midPoint. However, the fix is provided in
all the support branches.<br>
<br>
Discussion and Explanation<br>
<br>
The code of "Repository objects" page used wrong method to use
object name to construct HTML code of a page. Therefore this page
was vulnerable to the XSS attack.<br>
<br>
Credit<br>
<br>
This issue was reported by <span class="mini-profile__name
spec-mini-profile-name">Nicolas Destor</span><span
class="mini-profile__name spec-mini-profile-name"></span> by the
means of EU-Free and Open Source Software Auditing (EU-FOSSA2)
project.<br>
<br>
See Also<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Stored+XSS+vulnerability+via+%27name%27+property">https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Stored+XSS+vulnerability+via+%27name%27+property</a><br>
<br>
<pre class="moz-signature">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
</body>
</html>