Security Advisory: XSS Vulnerability In displayName
Date: 14 Jun 2019
Severity: Low (CVSS 3.7)
Affected versions: all released midPoint versions since 3.7
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased)
Cross-site scripting (XSS) vulnerability exists in some parts of midPoint user interface, namely in organization displayName.
Severity and Impact
Malicious user can execute arbitrary scripts (e.g. Java Script) as part of midPoint web-based user interface. This vulnerability exists in displayName for all multi-value containers, including name of the organization/organizational unit. Exploiting this vulnerability requires administrative privileges, therefore severity and impact of this vulnerability is low.
Users of affected MidPoint versions are advised to upgrade their deployments to the latest builds from the support branches.
As this is a low severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
MIdPoint user interface is based on Apache Wicket web framework. Proper use of Wicket web framework protects against most XSS-related vulnerabilities. However, one part of midPoint code was using the Wicket framework improperly, therefore opening XSS vulnerability. The vulnerability could be exploited by fabricating displayName of organizational unit, or in fact any display name of a multi-value container.
This issue was reported by tester known as Jespert123 by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.