Open Redirection Vulnerability in Symantec Identity Portal 14.4
22544
21 September 2023
14 September 2023
CLOSED
MEDIUM
6.1
CVE-2023-23957
Summary
This security advisory is to mitigate the Open redirection (DOM) due to insufficient input validation of the next query parameter in Symantec Identity Portal 14.4
Affected Product(s)
| Identity Governance And Administration-Identity Portal | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2023-23957 | 14.4 | Customer can either upgrade to IGA 14.5 or apply the hot fix on top of Identity Portal 14.4 CP2 (links provided in the mitigation section) |
Issue Details
| CVE-2023-23957 | |
| Severity / CVSS v3.0: | Medium / 6.1 [AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N] |
| References: | NVD: CVE-2023-23957 |
| Impact: | Open Redirection (DOM-based) |
| Description: | An authenticated user can see and modify the value for ‘next’ query parameter |
Mitigation
- Customers can upgarde to IGA 14.5 (Release Notes: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-5/release-notes.html)
- KB article for applying fix on Identity Portal 14.4 CP2: https://knowledge.broadcom.com/external/article?articleId=273584
Acknowledgements
- CVE-2023-23957 Kelsey Henton https://www.linkedin.com/in/kelsey-h-b3333221
Revisions
2023-September-21: Added KB article link for applying fix on IGA 14.4 CP2
2023-September-14: Initial Public Release