GHSA-gpxg-fx2g-qxj2

Summary

The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline <script id="data"> element using the Askama |safe filter. The challenge embeds the account's displayname, which serde_json serialises without escaping </>. A displayname containing </script> therefore terminates the script element early and injects arbitrary HTML into the credential-update page. Because the page is htmx-driven and the server's CSP allows 'unsafe-eval', injected hx-* attributes can issue authenticated same-origin API requests with the viewer's bearer cookie.

Impact

An authenticated attacker who is a member of idm_people_admins can write the displayname of any Person entry — including high-privilege persons — because idm_acp_people_pii_manage carries no high-privilege exclusion filter. When the targeted high-privilege user later opens Add Passkey on their own credential-update page (/ui/reset), the injected markup is swapped into the DOM and htmx fires attacker-chosen same-origin requests authenticated as the victim. This allows a helpdesk-tier operator to escalate to idm_admins (e.g. by POSTing themselves into the group) or otherwise act with the victim's session. The self-write path (idm_people_self_name_write) is self-XSS only and is not counted toward impact. Even without the htmx vector, the breakout permits <meta http-equiv='refresh'> open-redirect and arbitrary defacement of the credential page.

Details

• https://github.com/kanidm/kanidm/blob/master/server/core/templates/credentialupdateaddpasskeypartial.html#L3 — the |safe sink
• https://github.com/kanidm/kanidm/blob/master/server/core/src/https/views/reset.rs#L506-L509 — serde_json::to_string of the challenge
• https://github.com/kanidm/kanidm/blob/master/server/lib/src/idm/credupdatesession.rs#L2453-L2460 — displayname flows into start_passkey_registration

Affected versions

All releases shipping the htmx credential-update views