[mitreid-connect] CVE-2020-5498
Aaron Bishop
aaron at securitymetrics.com
Tue Jan 14 14:18:46 EST 2020
Hello,
I reported a Cross-Site Scripting
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521>
issue,
which has been assigned CVE-2020-5497, affecting OpenID but withheld
publicly reporting a related issue. A user can purposefully conduct the
Cross-Site Scripting attack against themselves to force the isAdmin check
to return true. The isAdmin call is used by several pages to view page
content. This would allow a low privileged user to view pages such as
Scope, Whitelist, Clients, etc. This issue was assigned CVE-2020-5498 but
has not been published. Let me know if you need more information.
Best regards,
AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20200114/a3ac94fa/attachment.html
More information about the mitreid-connect
mailing list