We're running a Web Agent Option Pack and we've found a vulnerability.

When user accesses resource /affwebservices/public/samlcc, the Target
parameter is vulnerable to "Open Redirect", the http request can be
modified to contain some arbitary URL redirecting the user to this
modified URL.

How can we fix this ?

Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux

At first glance, there's an ACO parameter you can set for the Web
Agent Option Pack to force Web Agent Option Pack to validate the
TARGET value against a white list :

  Web Agent Option Pack :: ACO : Full List

    ValidFedTargetDomain

  https://knowledge.broadcom.com/external/article?articleId=49319

  ValidFedTargetDomain 

    Defines valid domains for your federated environment See Agent
    Setting for Federation Domains.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html

  SAML Credential Collector Service URL (SAML 1.x)

   The SAML Credential Collector service assists in consuming SAML 1.x assertions.

     Default URL for this Service

     https://consumer_server:port/affwebservices/public/samlcc

     consumer_server:port

     Identifies the web server and port hosting the Web Agent Option
     Pack or CA Access Gateway.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/legacy-federation/federation-web-services-urls-used-by-the-product.html

So the GET action to an unknown target "mybadserver.mybaddomain.com",
will be validated by the Web Agent Option Pack before given the
response to the browser.

  GET /affwebservices/public/samlcc?TARGET=http://mybadserver.mybaddomain.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY