CVE-2020-5497: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 1, 2020 (updated August 23, 2021)

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.

References

github.com/advisories/GHSA-c2h6-7gm8-cv4w
github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1521
github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/1526
github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/1527
nvd.nist.gov/vuln/detail/CVE-2020-5497

Detect and mitigate CVE-2020-5497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →