Cross-Site Scripting vulnerability and Spectrum

Article Id: 15733

Status: Published

Updated On: 14-02-2018 07:50

Legacy Id: TEC1523736

Products:

CA Spectrum - OneClick , CA Spectrum - Reporting , CA Spectrum - Integrations , CA Spectrum - Alarms & Event Management

Issue/Introduction:

Below are the details on the Cross-Site Scripting vulnerability.

Cross-Site Scripting

Severity: High

CVSS Score: 7.5

URL: https://oneclick.it.slb.com/spectrum/common/do/about

Entity: aboutAppName (Parameter)

Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

Causes: Sanitation of hazardous characters was not performed correctly on user input

Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.

Is Spectrum susceptible to the Cross-Site Scripting vulnerability and if so, are there any plans to protect against it?

Environment:

Release: SDBSFO99000-10.2-Spectrum-Device Based Suite-Server FOC
Component:

Resolution:

The Cross-Site Scripting vulnerability is scheduled to be addressed in Spectrum 10.02.02.00. There is no projected release date for Spectrum 10.02.02.00 at the time this knowledge document was published.