We received the 2 below potential vulnerability notifications. Please let us know if DevTest 10.5 is good to go or needs to be patched.
CVE-2014-3656 - JBossKeycloak login-status-iframe.html Endpoint origin Parameter Reflected XSS
CVE-2013-6495 - JBossWebBayeux has reflected XSS
Below is all the info we received for the 2 items:
CVE-2014-3556
Discussion: JBoss Keycloak contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the login-status-iframe.html endpoint does not validate input to the 'origin' parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Recommended Remediation: For information please refer to the following site(s):
https://web.nvd.nist.gov/view/vuln/search
https://tools.cisco.com/security/center/home.x
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
https://cve.mitre.org/cve/cve.html
Product: redhat.jboss_keycloak.-
Alert Publication Date: 12/10/2019
CVE-2013-6495
Discussion: JBossWeb Bayeux has reflected XSS
Recommended Remediation: For information please refer to the following site(s):
https://web.nvd.nist.gov/view/vuln/search
https://tools.cisco.com/security/center/home.x
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
https://cve.mitre.org/cve/cve.html
Product: redhat.jboss_enterprise_application_platform.6.0.0 up to (excluding) 6.1.1, redhat.jboss_portal.6.0.0 up to (excluding) 6.1.0
Alert Publication Date: 12/11/2019
Release : 10.5.1
Component : CA Service Virtualization