ForgeRock persistent and reflected Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

Product OpenIDM
Affected versions 4.0.0, 4.5.0
Fixed versions
Component Admin UI
Severity Medium


OpenIDM is vulnerable to both persistent and reflected cross-site scripting (XSS) attacks within the Admin UI, which could lead to session hijacking or phishing.

Report Timeline
17-Jan-2017- Reported
17-Jan-2017- Vendor Response
28 -March-2017- Vendor Fixed
07-April-2017- Public disclosed


XSS persistent

Object management option >> field “Managed Object Name”

XSS reflected 

User  management option >> parameter “ _sortKeys”

GET /openidm/managed/user/86cdebd5-d685-4090-bc5c-3d8ea79fe3aa/authzRoles?page=1&_pageSize=50&sort_by=_id&_sortKeys=_id<script>alert(“Xss”);</script>&_queryFilter=true&_fields=&_pagedResultsOffset=0&_totalPagedResultsPolicy=ESTIMATE



No workaround available.


Update/upgrade to a fixed version or deploy the relevant patch bundle.

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *