Security team's Bug Bounty program identified vulnerabilities with the fcc form logon pages.  The information was made public and requires an immediate resolution.

e.g.

During default form fcc login, When username or other query parameter was injected with %5C, browser will trigger a pop up script.

[07/30/2020][14:50:47][327496][314056][CSmHttpPlugin.cpp:656][CSmHttpPlugin::ProcessResource][<Transacton ID>][*10.x.x.x][][agent1][][][Resolved URL: '/siteminderagent/forms/smpwservices.fcc?username=mytest123%5Cx3Cscript%5Cx3Ealert%5Cx28document.domain%5Cx29%5Cx3C%5Cx2Fscript%5Cx3E&SMAUTHREASON=7'.].

Release : ALL

Component : SITEMINDER -WEB AGENT

Cross Site Scripting vulnerabilities are common with any web based application.

Customer can choose multiple ways to mitigate, starting by following the documentation: Help Prevent Attacks

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

From siteminder side, customer can mitigate this by implementing ACO CSSChecking (Yes), Add \ into badcsschars, so badcsschars=<,',>,\
Then, user will not get pop up, should get error 403 access denied. This technically solves it directly.

Next, customer can implement ACO parameter called SecureURLs (Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL). This option often is not practical to implement, due to large number of apps and agents are already integrated in production.

While badcsschars blocks input risky chars, customer can further encode the output of fcc form url, with below ACO implemented:
FCCHTMLEncoding=no,
FCCHTMLEncodingChars=%00-%2f,%3a-%40,%5b-%60,%7b-%7f

When FCCHTMLEncoding=no, then the characters listed in FCCHTMLEncodingChars are HTML-encoded.
The range list in FCCHTMLEncodingChars covers the following and plus more.
%22 "
%23 #
%26 &
%27 '
%28 (
%29 )
%3c <
%3e >
%5c \