SA28 : Cross-Site Scripting Vulnerability in ICAP Patience Page
1161
03 March 2020
29 September 2008
CLOSED
LOW
SUMMARY
The ICAP patience page (used to notify the user that a requested object is being scanned) is vulnerable to a cross-site scripting attack.
MITIGATION
Customize the "details" section of the ICAP patience page so that it does not include the $(url) substitution.
The details section can be customized using the Management Console by accessing Configuration->External Services->ICAP and selecting the "ICAP Patience Page" tab, or via the CLI from the "external-services" mode using the "inline http icap-patience details" command.