The following XSS vulnerabilities have been identified in CA Identity Manager (CA IM) via a security audit. 

• Cross-site scripting (stored), 
• Cross-site scripting (reflected), 
• Cross-site request forgery.

Releases : 14.x

Fixed in 14.3 CP3 and above

Component : IdentityMinder(Identity Manager)

These issues are seen in the CA NIM common component.

Cross-site scripting (stored)

Stored XSS attacks consist in the permanent injection of malicious payloads within the web application and takes effect when the victim's browser displays the corrupted page. When submitting the user creation, a POST request to the /iam/imnimsm/ui/UIRequestHandler endpoint is performed. The details of the user to create are inserted within a POST parameter called “xmlString” in XML formatting. A malicious payload can be placed within the “value” attribute of the username “property” tag. Since the payload is contained within an XML attribute it cannot contain “>” and “<” characters so in order to inject HTML tags the special characters have been encoded as HTML entities (e.g. &gt; &lt;) and subsequently URL encoded to avoid breaking the POST request parameter syntax (the & character introduces a new parameter in the request). In this way, it is possible to store an arbitrary script server-side.

Cross-site scripting (reflected)

The website does not sanitize the user input before it is placed in output in the web page.

Cross-site request forgery

Cross-Site Request Forgery (CSRF) is an attack that forces a legitimate user to perform unwanted actions on a web application in which they are currently authenticated.

Within the CA Identity Manager web application, the functionalities of add, edit and delete users within the CA Normalized Integration Management for Service Management section are vulnerable to Cross-Site Request Forgery attacks.

When performing one of these actions a POST request to the “/iam/imnimsm/ui/UIRequestHandler” endpoint is performed. The application is not able to verify that the request was performed directly by the legitimate user’s web page due to the lack of anti-CSRF mechanism.

The vulnerabilities are addressed in CA IM 14.3:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/configuring/security.html#concept.dita_0939e75887fe144387005b52143a206acb55cf50_ProtectionfromCSRFAttacks

A specific Cross Site Vulnerability as described in this Redhat documentation: https://access.redhat.com/solutions/69379 was discovered in IDM deployments against JBOSS 7.2.  This was resolved in 14.3 Cp3:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Fixed-Defects/Identity-Manager-14-3-CP3---Fixed-Defects.html

This is seen as CWE-79 on security reports.