search cancel

Crossdomain.xml Policy Vulnerability detected


Article ID: 109689


Updated On:


Clarity PPM On Premise


Vulnerability against Cross Domain Policy - Code Scan detects a vulnerability on clarity on-premise servers regarding permissive crossdomain.xml policies and results in a high alert on Flash cross-domain policy. 



Release: All Supported Clarity Supported Version 
Component: PPMSEC


Security Scan 


The document explains how clarity uses crossdomain.xml file a

This vulnerability was fixed in version 15.3. If  a customer is below version 15.3 customers need to update the crossdomain.xml, and put your domain name instead of * to deter potential malicious activity as vulnerability Scanners find all domains access as an intrusion risk.

Step A.
​You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, specify your domain:

<allow-http-request-headers-from domain="<domain_name>"  headers="*" secure="false" /> 
<allow-access-from domain="<domain_name>" secure="false" />

There are 4 crossdomain.xml files that need to be updated:

  • <CA PPM Install>\tomcat-nsa-deploy\ROOT\crossdomain.xml
  • <CA PPM Install>\tomcat-app-deploy\ROOT\crossdomain.xml
  • <CA PPM Install>\config\crossdomain.xml
  • <CA PPM Install>\.setup\templates\crossdomain.xml


Additional Information

Any other external data source integration done with Clarity  needs specification of the cross domain policies. Detailed information can be found here 

Also clarity has configuration on Cross site and documented here