Cross-Site Scripting Vulnerability in Symantec SiteMinder Web Agent

CA Single Sign On Agents (SiteMinder)

1 more products

22221

27 May 2023

27 May 2023

CLOSED

MEDIUM

5.4

CVE-2023-23956

Summary

The Symantec SiteMinder Web Agent is susceptible to cross-site scripting attacks, where an attack URL can be presented to unsuspecting users. When a user clicks on the URL, an application may return a display to the browser that includes the input characters, along with an error message about bad parameters on the query string. The display of these parameters in the browser can lead to an unwanted script being executed on the browser.

This advisory provides guidelines to help customers prevent such attacks.

Affected Product(s)

Symantec SiteMinder WebAgent
CVE Supported Version(s) Remediation
CVE-2023-23956 WebAgent 12.52 Please follow the below-documented guidelines: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

 

Issue Details

CVE-2023-23956
Severity / CVSS v3.0: Medium / 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
References: NVD: CVE-2023-23956
Impact: Cross-Site Scripting
Description: A user can supply malicious HTML and JavaScript code that will be executed in the client browser

 

Mitigation & Additional Information

Customer can prevent the above mentioned cross-site scripting attacks by following the guidelines: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

Acknowledgements

Revisions

2023-May-27 Initial public release