<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Aaron,<div class=""><br class=""></div><div class="">Thanks for the report. The value of the isAdmin flag on the front end would allow you to see the pages, but the APIs would still return empty information rendering the attack fairly pointless. We don’t read or trust the value of isAdmin from the front end when calculating the information to return to the front end for display or manipulation. We use that flag in the front end to change which pages are made visible on the UI, and turn off admin-only controls that would simply fail for a non-admin user. Yes, they’d get to see the admin pages if they change this variable, but they wouldn’t get access to anything they wouldn’t see already. As in, they don’t actually gain admin access. Ergo, I’m not convinced that this attack is meaningful. Can you please help me understand if this allows for data access beyond what the user is intended to be able to see?</div><div class=""><br class=""></div><div class="">That said, the cross-site scripting issue should be fixed anyway as it could allow for manipulation of the page where you don’t want it to. </div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""> — Justin<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Jan 14, 2020, at 2:18 PM, Aaron Bishop <<a href="mailto:aaron@securitymetrics.com" class="">aaron@securitymetrics.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">Hello,<div class=""><br class=""></div><div class="">I reported a <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521" class="">Cross-Site Scripting</a> issue, which has been assigned CVE-2020-5497, affecting OpenID but withheld publicly reporting a related issue. A user can purposefully conduct the Cross-Site Scripting attack against themselves to force the isAdmin check to return true. The isAdmin call is used by several pages to view page content. This would allow a low privileged user to view pages such as Scope, Whitelist, Clients, etc. This issue was assigned CVE-2020-5498 but has not been published. Let me know if you need more information.</div><div class=""><br class=""></div><div class="">Best regards,</div><div class=""><br clear="all" class=""><div class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class="">
<div dir="ltr" class="">
<div style="font-size: 12pt; background-color: rgb(255, 255, 255); font-family: Calibri, Arial, Helvetica, sans-serif;" class="">
<div style="padding-top:0px;margin-left:0px" class="">
<div style="text-align:left;padding-left:0px;overflow:hidden" class="">
<h1 style="font-family:Helvetica;font-size:12px;font-weight:300;color:rgb(30,136,229)" class="">
<span style="font-weight:400" class="">AARON BISHOP </span><span style="color:rgb(102,102,102)" class="">| Principal Penetration Tester</span></h1>
<h1 style="font-family:Helvetica;font-size:12px;color:rgb(102,102,102)" class=""><span style="font-weight:normal" class="">CISSP, OSCP, OSWE</span></h1>
<h1 style="font-family:Helvetica;font-size:12px;color:rgb(102,102,102)" class=""><span style="font-weight:normal" class=""></span><span style="font-weight:200" class="">P:801.995.6999<br class="">
</span></h1>
<h1 style="font-family:Helvetica;font-size:12px;font-weight:200;color:rgb(102,102,102)" class="">
<img align="left" alt="SecurityMetrics" border="0" height="22" src="http://info.securitymetrics.com/l/47362/2016-06-16/3xk29h/47362/79282/SM_Logo_RGB_2015.png" title="SecurityMetrics" width="150" class=""></h1>
</div>
</div>
<table width="100%" cellspacing="0" cellpadding="0" border="0" class="">
<tbody class="">
<tr class="">
<td align="center" class="">
<table cellspacing="5" cellpadding="0" border="0" class="">
<tbody class="">
<tr class="">
<td height="200" align="center" style="width:600px;height:200px" class=""></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br class="">mitreid-connect mailing list<br class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div></blockquote></div><br class=""></div></body></html>