Security Advisory: Stored XSS vulnerability via 'name' property

Last modified 14 Feb 2024 10:22 +01:00

Date: 30 August 2019

Severity: Medium (CVSS 4.3)

Affected versions: all released midPoint versions

Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased)


Stored cross-site scripting (XSS) vulnerability exists in midPoint user interface that can be exploited by manipulation of object 'name' property.

Severity and Impact

Attacker needs authorization to change object names in midPoint. Such authorization is usually granted only to administrators and other privileged users. Only "Repository objects" page is affected.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest builds from the support branches.

As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.

Discussion and Explanation

The code of "Repository objects" page used wrong method to use object name to construct HTML code of a page. Therefore this page was vulnerable to the XSS attack.


This issue was reported by Nicolas Destor by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

Was this page helpful?
Thanks for your feedback