{"id":"GHSA-gpxg-fx2g-qxj2","summary":"Kanidm: Stored HTML injection in \"passkey-enrolment\" partial via displayname → htmx-driven authenticated request forgery","details":"### Summary\n\nThe kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline `\u003cscript id=\"data\"\u003e` element using the Askama `|safe` filter. The challenge embeds the account's `displayname`, which `serde_json` serialises without escaping `\u003c`/`\u003e`. A `displayname` containing `\u003c/script\u003e` therefore terminates the script element early and injects arbitrary HTML into the credential-update page. Because the page is htmx-driven and the server's CSP allows `'unsafe-eval'`, injected `hx-*` attributes can issue authenticated same-origin API requests with the viewer's bearer cookie.\n\n### Impact\n\nAn authenticated attacker who is a member of `idm_people_admins` can write the `displayname` of any `Person` entry — including high-privilege persons — because `idm_acp_people_pii_manage` carries no high-privilege exclusion filter. When the targeted high-privilege user later opens **Add Passkey** on their own credential-update page (`/ui/reset`), the injected markup is swapped into the DOM and htmx fires attacker-chosen same-origin requests authenticated as the victim. This allows a helpdesk-tier operator to escalate to `idm_admins` (e.g. by POSTing themselves into the group) or otherwise act with the victim's session. The self-write path (`idm_people_self_name_write`) is self-XSS only and is not counted toward impact. Even without the htmx vector, the breakout permits `\u003cmeta http-equiv='refresh'\u003e` open-redirect and arbitrary defacement of the credential page.\n\n### Details\n\n- https://github.com/kanidm/kanidm/blob/master/server/core/templates/credential_update_add_passkey_partial.html#L3 — the `|safe` sink\n- https://github.com/kanidm/kanidm/blob/master/server/core/src/https/views/reset.rs#L506-L509 — `serde_json::to_string` of the challenge\n- https://github.com/kanidm/kanidm/blob/master/server/lib/src/idm/credupdatesession.rs#L2453-L2460 — `displayname` flows into `start_passkey_registration`\n\n### Affected versions\n\nAll releases shipping the htmx credential-update views","modified":"2026-05-06T23:49:30.988333Z","published":"2026-05-06T23:34:20Z","database_specific":{"nvd_published_at":null,"github_reviewed_at":"2026-05-06T23:34:20Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/kanidm/kanidm/security/advisories/GHSA-gpxg-fx2g-qxj2"},{"type":"PACKAGE","url":"https://github.com/kanidm/kanidm"}],"affected":[{"package":{"name":"kanidm","ecosystem":"crates.io","purl":"pkg:cargo/kanidm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gpxg-fx2g-qxj2/GHSA-gpxg-fx2g-qxj2.json","last_known_affected_version_range":"\u003c= 1.9.2"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"}]}