MITREid Connect OpenID-Connect-Java-Spring-Server version 1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is included in *topbar.tag* and *header.tag* without being sanitized. A user can set their name to a value like: Test Which will be included in JSON used by a JavaScript function in *header.tag* : // get the info of the current user, if available (null otherwise) > function getUserInfo() { > return {"sub":"12318767","name":" > *Test* > Test","preferred_username":"Test","given_name":"Test","family_name":"Test","email":" > test@test.com","email_verified":true};} A name such as: Test would also work; it is included in the page when menus are created by *topbar.tag*: >