ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SEPM Cross-Site Request Forgery vulnerability when scanning against port 8443

book

Article ID: 196086

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A third-party vulnerability scanner reported a Cross-Site Request Forgery (CSRF) vulnerability when scanning port 8443 against the Symantec Endpoint Protection Manager (SEPM) server.

Environment

14.3

Resolution

In SEPM 14.2 RU1 and later, instead of using the X-Frame-Options header, Symantec uses the newer Content-Security-Policy: frame-ancestors 'self' header.
The newer header is supported by the major modern browsers, so the lack of the obsoleted X-Frame-Options header does not constitute a vulnerability.

Symantec uses frame-busting JavaScript in addition to Content-Security-Policy for pages that contain sensitive information.