XSS in MITREid Connect
Moderate severity
GitHub Reviewed
Published
Apr 1, 2020
to the GitHub Advisory Database
•
Updated Jan 24, 2023
Description
Published by the National Vulnerability Database
Jan 4, 2020
Reviewed
Apr 1, 2020
Published to the GitHub Advisory Database
Apr 1, 2020
Last updated
Jan 24, 2023
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.
References