Control iD RH iD Cross-Site Scripting Vulnerability in API Password Change Service

A cross-site scripting (XSS) vulnerability has been identified in Control iD RH iD version 25.2.25.0. The issue arises in the API handler, specifically within the 'change_password' service of the customer database. The vulnerability allows for remote exploitation by manipulating the 'message' argument, which is not properly sanitized before being output to users. This flaw could lead to the execution of malicious scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute scripts in the context of the victim's user session. This could result in the theft of authentication cookies, session hijacking, and the execution of unauthorized actions on behalf of the victim.

Reproduction

To reproduce this vulnerability, send a POST request to the '/v2/customerdb/person.svc/change_password' endpoint. Include a crafted 'message' field that contains JavaScript payloads. The injected script will execute in the user's browser when the response is rendered.

Remediation

It is recommended to implement proper output encoding for user-supplied data, use a Content Security Policy (CSP) to restrict script execution, and sanitize API responses before displaying them in the front-end.