Security Advisory: XSS Vulnerability In fullName and displayName
Date: 20. 9. 2023
Severity: High (CVSS 8.0)
Affected versions: 4.7, 4.7.1
Fixed in versions: 4.8, 4.7.2
Cross-site scripting (XSS) vulnerability exists in change preview and audit log of midPoint user interface, namely via organization displayName and user fullName.
Severity and Impact
Malicious user can execute arbitrary scripts (e.g. Java Script) as part of midPoint web-based user interface. This vulnerability exists in displayName for all objects, including name of the organization/organizational unit. Exploiting this vulnerability requires administrative privileges.
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release.
Discussion and Explanation
MIdPoint user interface is based on Apache Wicket web framework. Proper use of Wicket web framework protects against most XSS-related vulnerabilities. However, one part of midPoint code was using the Wicket framework improperly, therefore opening XSS vulnerability. The vulnerability could be exploited by fabricating displayName of organizational unit, or in fact any display name of a multi-value container.
This issue was reported by Radically Open Security as part of NGI Zero Review program.