Reflected XSS Vulnerability in Layer7 OAuth Toolkit(OTK)

20170

17 February 2022

17 February 2022

CLOSED

MEDIUM

6.1

Summary

The Symantec Layer7 API Management OAuth Toolkit (OTK) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows.

 Affected Product(s)

Layer7 API Management OAuth Toolkit (OTK)
CVE Supported Version(s) Remediation
CVE-2021-30650 Prior to v4.4.x Upgrade to OTK 4.5 or contact Symantec Support for mitigation instructions.

 

Issue Details

CVE-2021-30650
Severity / CVSS v3.1: Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References: NVD: CVE-2021-30650
Impact: Cross-site scripting (XSS)
Description: A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows.

 

Mitigation & Additional Information

Contact Symantec Support for mitigation instructions.

 

Acknowledgements

  • CVE-2021-30650: Kirill Anikin and Daniil Morozov of Digital Compliance

 

Revisions

2022-02-16 initial public release