Support Content Notification - Support Portal

SA28 : Cross-Site Scripting Vulnerability in ICAP Patience Page

Product/Component

Notification Id

1161

Last Updated

03 March 2020

Initial Publication Date

29 September 2008

Status

CLOSED

Severity

LOW

CVSS Base Score

WorkAround

Affected CVE

SUMMARY

The ICAP patience page (used to notify the user that a requested object is being scanned) is vulnerable to a cross-site scripting attack.

MITIGATION

Customize the "details" section of the ICAP patience page so that it does not include the $(url) substitution.

The details section can be customized using the Management Console by accessing Configuration->External Services->ICAP and selecting the "ICAP Patience Page" tab, or via the CLI from the "external-services" mode using the "inline http icap-patience details" command.

REFERENCES

Security Focus BugTraq