{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openam-oauth2--13.0.0--16.1.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openam-oauth2 (\u003e= 13.0.0, \u003c 16.1.1)"],"_cs_severities":["critical"],"_cs_tags":["xss","web-vulnerability","openam","oidc","oauth2"],"_cs_type":"advisory","_cs_vendors":["OpenIdentityPlatform"],"content_html":"\u003cp\u003eOpenIdentityPlatform OpenAM, a popular access management solution, is affected by a critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44203. The vulnerability resides in the \u003ccode\u003eopenam-oauth2\u003c/code\u003e component, specifically within the OAuth 2.0 / OpenID Connect authorization endpoint when utilizing the \u003ccode\u003eform_post\u003c/code\u003e response mode. Insufficient sanitization of user-supplied parameters, notably the \u003ccode\u003estate\u003c/code\u003e parameter, before their inclusion in the HTML response (generated by \u003ccode\u003eFormPostResponse.ftl\u003c/code\u003e) allows attackers to inject arbitrary client-side script. This flaw impacts OpenAM versions from 13.0.0 up to, but not including, 16.1.1. Defenders must prioritize patching to prevent attackers from exploiting this vulnerability to execute malicious code within the victim's browser in the context of the OpenAM origin, potentially leading to session compromise or credential theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenAM instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL targeting the OpenAM OAuth2/OIDC authorization endpoint, embedding an XSS payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\u003c/code\u003e) within the \u003ccode\u003estate\u003c/code\u003e parameter. The URL also specifies \u003ccode\u003eresponse_mode=form_post\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker distributes this crafted URL to a potential victim, typically via a phishing email, malicious web link, or social engineering.\u003c/li\u003e\n\u003cli\u003eVictim clicks the malicious URL, sending a request to the vulnerable OpenAM server that includes the attacker-controlled \u003ccode\u003estate\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eOpenAM, processing the request for the \u003ccode\u003eform_post\u003c/code\u003e response mode, fails to adequately sanitize the \u003ccode\u003estate\u003c/code\u003e parameter due to CVE-2026-44203 and embeds the malicious script directly into the HTML response (\u003ccode\u003eFormPostResponse.ftl\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim's web browser receives the crafted HTML response and, treating it as legitimate content from the OpenAM domain, executes the embedded malicious JavaScript.\u003c/li\u003e\n\u003cli\u003eThe executed XSS payload performs actions such as stealing the victim's session cookies, attempting to harvest credentials, or performing arbitrary actions on behalf of the user within the OpenAM application.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the stolen information or actions to gain unauthorized access or control within the victim's OpenAM session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-44203 grants an attacker the ability to execute arbitrary client-side script within the victim's browser, operating under the security context of the OpenAM domain. This can lead to severe consequences including session hijacking, credential theft, defacement of the legitimate OpenAM interface, or redirection to malicious sites. The critical CVSS score of 9.3 underscores the potential for significant compromise due to the vulnerability being pre-authentication and having high impacts on confidentiality and integrity. Although specific victim counts are not available, all organizations running vulnerable OpenAM versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-44203 immediately by upgrading \u003ccode\u003emaven/org.openidentityplatform.openam:openam-oauth2\u003c/code\u003e to version 16.1.1 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-44203 Exploitation - OpenAM Reflected XSS\u003c/code\u003e Sigma rule to your SIEM for early detection of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConfigure web server or WAF logging to capture full HTTP request details, especially \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters, for all traffic directed at OpenAM endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003e/oauth2/realms/*/authorize\u003c/code\u003e containing \u003ccode\u003eresponse_mode=form_post\u003c/code\u003e and suspicious, script-like content in the \u003ccode\u003estate\u003c/code\u003e parameter as identified by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:05:31Z","date_published":"2026-07-03T11:05:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/","summary":"A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.","title":"OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/"}],"language":"en","title":"CraftedSignal Threat Feed - Openam-Oauth2 (\u003e= 13.0.0, \u003c 16.1.1)","version":"https://jsonfeed.org/version/1.1"}