vladimir-mencl-eresearch
commented
9 years ago Note this issue has been reported in a private repo and should stay private...
Closed vladimir-mencl-eresearch closed 9 years ago
vladimir-mencl-eresearch
commented
9 years ago Note this issue has been reported in a private repo and should stay private...
The DS is vulnerable to XSS attacks through metadata.
If a malicious party was to inject malicious code into the metadata (and any IdP or SP admin can change their display name), the current DS would render this unescaped.
This has been fixed upstream by merging ESAPI - we need to do the same.
So far, the real impact is very low - someone who is an admin of an already approved IdP or SP would have to modify their entry and inject Javascript into their IdP or SP display name, but this should be fixed ASAP.
Quickly testing, upstream ESAPI library can be merged in (together with updating opensaml to 2.5.4) without any other impact.