There are multiple reflected XSS issues in the generic_form_row.jsp JSP file included in both the crowd-demo-app and crowd-openid-server projects. The vulnerabilities are a result of outputting user controlled data without first HTML encoding in the request.getParameter() calls.
generic_form_row.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <div class="fieldArea required"> <% if (request.getParameter("warning") != null) { %> <div class="errorBox"> <%=request.getParameter("warning") %> </div> <% } %> <label class="fieldLabelArea"> <% if (request.getParameter("label") != null) { %> <%=request.getParameter("label") %>: <% } %> </label> <div class="fieldValueArea"> <% if (request.getParameter("value") != null) { %> <%=request.getParameter("value") %> <% } %> <div class="fieldDescription"> <% if (request.getParameter("description") != null) { %> <%=request.getParameter("description") %> <% } %> </div> </div> </div>
The vulnerability can be triggered with a specially crafted URL like the following:
[CWD-3428] Reflected XSS in generic_form_row.jsp
Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 1511162 ] | New: JAC Bug Workflow v3 [ 3365608 ] |
Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
Workflow | Original: Simplified Crowd Development Workflow v2 [ 1393406 ] | New: Simplified Crowd Development Workflow v2 - restricted [ 1511162 ] |
Workflow | Original: Crowd Development Workflow v2 [ 542525 ] | New: Simplified Crowd Development Workflow v2 [ 1393406 ] |
Labels | Original: security security_codereview | New: cvss-high security security_codereview |
Labels | Original: security security_codereview to-publish | New: security security_codereview |
Security | Original: Reporters and Developers [ 10071 ] |
Labels | Original: security security_codereview | New: security security_codereview to-publish |
Fix Version/s | New: 2.6.5 [ 34791 ] | |
Fix Version/s | New: 2.5.6 [ 35791 ] |
Fix Version/s | New: 2.4.11 [ 35790 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Technical Review [ 10028 ] | New: Resolved [ 5 ] |