Details
Description
There are multiple reflected XSS issues in the generic_form_row.jsp JSP file included in both the crowd-demo-app and crowd-openid-server projects. The vulnerabilities are a result of outputting user controlled data without first HTML encoding in the request.getParameter() calls.
generic_form_row.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <div class="fieldArea required"> <% if (request.getParameter("warning") != null) { %> <div class="errorBox"> <%=request.getParameter("warning") %> </div> <% } %> <label class="fieldLabelArea"> <% if (request.getParameter("label") != null) { %> <%=request.getParameter("label") %>: <% } %> </label> <div class="fieldValueArea"> <% if (request.getParameter("value") != null) { %> <%=request.getParameter("value") %> <% } %> <div class="fieldDescription"> <% if (request.getParameter("description") != null) { %> <%=request.getParameter("description") %> <% } %> </div> </div> </div>
The vulnerability can be triggered with a specially crafted URL like the following: