Cross-Site Scripting vulnerability and Spectrum

book

Article ID: 15733

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Below are the details on the Cross-Site Scripting vulnerability.

 

Cross-Site Scripting 

Severity: High 

CVSS Score: 7.5 

URL: https://oneclick.it.slb.com/spectrum/common/do/about 

Entity: aboutAppName (Parameter) 

Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user 

Causes: Sanitation of hazardous characters was not performed correctly on user input 

Fix: Review possible solutions for hazardous character injection 

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.



Is Spectrum susceptible to the Cross-Site Scripting vulnerability and if so, are there any plans to protect against it? 

Environment

Release: SDBSFO99000-10.2-Spectrum-Device Based Suite-Server FOC
Component:

Resolution

The Cross-Site Scripting vulnerability is scheduled to be addressed in Spectrum 10.02.02.00. There is no projected release date for Spectrum 10.02.02.00 at the time this knowledge document was published.