GHSA-fq9h-c788-fx73CriticalCVSS 9.3

OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)

Published
June 22, 2026
Last Modified
June 22, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form_post response mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.

🎯 Affected products1

  • maven/org.openidentityplatform.openam:openam-oauth2:>= 13.0.0, < 16.1.1

🔗 References (3)