UIM - Clickjacking vulnerability detected on CABI 4.20
search cancel

UIM - Clickjacking vulnerability detected on CABI 4.20


Article ID: 199320


Updated On:


DX Unified Infrastructure Management (Nimsoft / UIM)


Security team has detected vulnerability on my CABI server.
The CABI is running on bundled 4.20 version.

Name: Web Application Potentially Vulnerable to Clickjacking
URL: https://www.tenable.com/plugins/nessus/85582
Plugin output: https://<CABI_URL>/cabijs/login.html

Advice if there is a solution or patch for this vulnerability.


Release : 20.1

Component : UIM - CABI


Follow steps below to address this 

Keep backup of applicationContext-security-web.xml from cabi server

Open the applicationContext-security-web.xml file (found in ..\Nimsoft\probes\service\wasp\webapps\cabijs\WEB-INF folder).

1)Locate the "antiClickJackingEnabled" property in the webAppSecurityFilter bean, and set it to true.
Setting this property to true instructs CABI Server to include an X-Frame-Options header in every response

2) Set antiClickJackingOption to ALLOW-FROM.

3)In this case, you need to add one more property similar to it. Assign key as "antiClickJackingUri"
and value as UMP robot IP(http(s)://<FQDN or IP of ump-robot>:<port>

4)Then from IM, navigate to Raw configure of cabi probe and edit the cabi_url value. Set it to the CABI robot's FQDN like this:


Then restart both CABI and UMP robot .

Access UMP also using its FQDN.

Check if summary page gets loaded


Additional Information

Also might require set below in chrome to load summary dashboards in ump

1. In your browser session, navigate to chrome://flags

2. Set "SameSite by default cookies" from 'Default' to 'Disabled'

CABI Summary dashboard does not work in Chrome (UIM 9.20)
Article Id: 186993