[mitreid-connect] CVE-2020-5498

Aaron Bishop aaron at securitymetrics.com
Tue Jan 14 14:18:46 EST 2020


Hello,

I reported a  Cross-Site Scripting
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
issue,
which has been assigned CVE-2020-5497, affecting OpenID but withheld
publicly reporting a related issue.  A user can purposefully conduct the
Cross-Site Scripting attack against themselves to force the isAdmin check
to return true.  The isAdmin call is used by several pages to view page
content.  This would allow a low privileged user to view pages such as
Scope, Whitelist, Clients, etc.  This issue was assigned CVE-2020-5498 but
has not been published. Let me know if you need more information.

Best regards,

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20200114/a3ac94fa/attachment.html


More information about the mitreid-connect mailing list