Reflected XSS Vulnerability in Layer7 OAuth Toolkit(OTK)
Summary
The Symantec Layer7 API Management OAuth Toolkit (OTK) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows.
Affected Product(s)
| Layer7 API Management OAuth Toolkit (OTK) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2021-30650 | Prior to v4.4.x | Upgrade to OTK 4.5 or contact Symantec Support for mitigation instructions. |
Issue Details
| CVE-2021-30650 | |
| Severity / CVSS v3.1: | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
| References: | NVD: CVE-2021-30650 |
| Impact: | Cross-site scripting (XSS) |
| Description: | A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows. |
Mitigation & Additional Information
Contact Symantec Support for mitigation instructions.
Acknowledgements
- CVE-2021-30650: Kirill Anikin and Daniil Morozov of Digital Compliance
Revisions
2022-02-16 initial public release