LOW

GHSA-fhrq-3gmx-p879

OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`

Details

## Summary

Certain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.openidentityplatform.openam:openam-federation-library

Introduced in: 0 Fixed in: 16.1.1

Fix # pom.xml: bump <version>16.1.1</version> for org.openidentityplatform.openam:openam-federation-library

References

https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fhrq-3gmx-p879 [WEB]
https://github.com/OpenIdentityPlatform/OpenAM [PACKAGE]
https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 [WEB]