(2) Content Security Policy isn't set Because of the Content Security Policy isn't set, Web browsers' protection function isn't enabled for preventing Injection attacks to HTML such as Cross-site Scripting. Target: entire site
(3) Possibilities of redirecting to inappropriate URL by inserting a URL as a parameter. Example: https://siteminder.excample.com/forms/login.fcc?...(snip)...TARGET=-SM-http%3a%2f%2fad%2ecaj%2eco%2ejp%2fprotection%2fmenu
Is it a solution to use "SecureURLs" ACO parameter?
Release: Component: SMPLC
(1) Yes. The details are explained in the URL referred in the inquiry.