There are multiple reflected XSS issues in the generic_form_row.jsp JSP file included in both the crowd-demo-app and crowd-openid-server projects. The vulnerabilities are a result of outputting user controlled data without first HTML encoding in the request.getParameter() calls.

      generic_form_row.jsp
      <%@ page contentType="text/html;charset=UTF-8" language="java" %>
      
      <div class="fieldArea required">
      
          <%
              if (request.getParameter("warning") != null) {
          %>
          <div class="errorBox">
                      <%=request.getParameter("warning") %>
          </div>
          <%
              }
          %>
      
          <label class="fieldLabelArea">
              <%
                  if (request.getParameter("label") != null) {
              %>
                  <%=request.getParameter("label") %>:
              <%
                  }
              %>
          </label>
      
          <div class="fieldValueArea">
              <%
                  if (request.getParameter("value") != null) {
              %>
                  <%=request.getParameter("value") %>
              <%
                  }
              %>
      
      
              <div class="fieldDescription">
                  <%
                      if (request.getParameter("description") != null) {
                  %>
                      <%=request.getParameter("description") %>
                  <%
                      }
                  %>
              </div>
          </div>
      </div>
      

      The vulnerability can be triggered with a specially crafted URL like the following:

            [CWD-3428] Reflected XSS in generic_form_row.jsp

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1511162 ] New: JAC Bug Workflow v3 [ 3365608 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1393406 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1511162 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 542525 ] New: Simplified Crowd Development Workflow v2 [ 1393406 ]
            Security Metrics Bot made changes -
            Labels Original: security security_codereview New: cvss-high security security_codereview
            VitalyA made changes -
            Labels Original: security security_codereview to-publish New: security security_codereview
            VitalyA made changes -
            Security Original: Reporters and Developers [ 10071 ]
            VitalyA made changes -
            Labels Original: security security_codereview New: security security_codereview to-publish
            Caspar Krieger (Inactive) made changes -
            Fix Version/s New: 2.6.5 [ 34791 ]
            Fix Version/s New: 2.5.6 [ 35791 ]
            Caspar Krieger (Inactive) made changes -
            Fix Version/s New: 2.4.11 [ 35790 ]
            Caspar Krieger (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Technical Review [ 10028 ] New: Resolved [ 5 ]

              ckrieger Caspar Krieger (Inactive)
              cee3f48a9671 Daniel
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: