Cross-Site Scripting Vulnerability in Symantec SiteMinder Web Agent
22221
27 May 2023
27 May 2023
CLOSED
MEDIUM
5.4
CVE-2023-23956
Summary
The Symantec SiteMinder Web Agent is susceptible to cross-site scripting attacks, where an attack URL can be presented to unsuspecting users. When a user clicks on the URL, an application may return a display to the browser that includes the input characters, along with an error message about bad parameters on the query string. The display of these parameters in the browser can lead to an unwanted script being executed on the browser.
This advisory provides guidelines to help customers prevent such attacks.
Affected Product(s)
| Symantec SiteMinder WebAgent | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2023-23956 | WebAgent 12.52 | Please follow the below-documented guidelines: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html |
Issue Details
| CVE-2023-23956 | |
| Severity / CVSS v3.0: | Medium / 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |
| References: | NVD: CVE-2023-23956 |
| Impact: | Cross-Site Scripting |
| Description: | A user can supply malicious HTML and JavaScript code that will be executed in the client browser |
Mitigation & Additional Information
Customer can prevent the above mentioned cross-site scripting attacks by following the guidelines: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html
Acknowledgements
- CVE-2023-23956: Harshit Joshi, https://www.linkedin.com/in/harshitjoshi01/
Revisions
2023-May-27 Initial public release