Description
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
Remediation
References
Related Vulnerabilities
Atlassian Jira CVE-2020-36286 Vulnerability (CVE-2020-36286)
WordPress Plugin HTML5 jQuery Audio Player Multiple Cross-Site Scripting Vulnerabilities (2.3)
WordPress Plugin Webmention Cross-Site Scripting (4.0.8)
MySQL CVE-2021-2356 Vulnerability (CVE-2021-2356)
Craft CMS Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-41892)