Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-28290: XSS issue in Client Secrets and Api Resource Secrets · Issue #813 · skoruba/IdentityServer4.Admin

A cross-site scripting (XSS) vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter.

CVE
Open in Source
#xss#vulnerability#sap

In the views ClientSecret and ApiResourceSecret is not HTML encoded data attribute data-secret-value on the button:

<td><button class="secret-value-button btn btn-outline-primary" data-secret-value="clientSecret.Value"><i class="fa fa-eye"></i></button></td>

This data attribute is used in the dialog with secret detail.

<button class="secret-value-button btn btn-outline-primary" data-secret-value="@Html.Encode(clientSecret.Value)"><i class="fa fa-eye"></i></button>

I will send this fix asap.

Thanks to Silton Santos for reporting.

Related news

CVE-2021-28290: XSS issue in Client Secrets and Api Resource Secrets · Issue #813 · skoruba/IdentityServer4.Admin

A cross-site scripting (XSS) vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE