Security Advisory: Stored XSS vulnerability via 'name' property
Date: 30 August 2019
Severity: Medium (CVSS 4.3)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased)
Description
Stored cross-site scripting (XSS) vulnerability exists in midPoint user interface that can be exploited by manipulation of object 'name' property.
Severity and Impact
Attacker needs authorization to change object names in midPoint. Such authorization is usually granted only to administrators and other privileged users. Only "Repository objects" page is affected.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest builds from the support branches.
As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
The code of "Repository objects" page used wrong method to use object name to construct HTML code of a page. Therefore this page was vulnerable to the XSS attack.
Credit
This issue was reported by Nicolas Destor by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.