Detections
Analytics
CA SiteMinder WebAgent Cross-Site Scripting
medium Web App Scanning Plugin ID 113938
Language:
Synopsis
CA SiteMinder WebAgent Cross-Site ScriptingDescription
CA SiteMinder is an unified access management platform which provides Single Sign-On features and identity federation for seamless access. CA SiteMinder WebAgent, one of this platform components, suffers from a Cross-Site Scripting (XSS) vulnerability through some `fcc` endpoints. By crafting a specific payload in the URL, a remote and unauthenticated attacker could leverage this vulnerability to inject malicious JavaScript executed in the context of the target victim user browser.Solution
Apply the workaround provided by the vendor to escape HTML encoding characters on fcc endpoints.See Also
https://blog.reigningshells.com/2019/12/reviving-old-cves-reflected-xss-in-ca.html
https://knowledge.broadcom.com/external/article/258627/security-vulnerability-xss-cve20075923.html
Plugin Details
Severity: Medium
ID: 113938
Type: remote
Family: Component Vulnerability
Published: 5/31/2023
Updated: 1/3/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2007-5923
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score Source: CVE-2007-5923
Vulnerability Information
CPE: cpe:2.3:a:broadcom:etrust_siteminder:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2007-5923
BID: 26375
CWE: 79
OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6
WASC: Cross-Site Scripting
CAPEC: 209, 588, 591, 592, 63, 85
DISA STIG: APSC-DV-002490, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3