APS ChangePassword allows redirect to external and not desired URLs.     

To illustrate, the following request could potentially redirect to example.org instead of example.com:

http://host.example.com/APS/ChangePassword?Target=http%3A%2F%2Fexample%2Eorg

Release : 12.52

Component : SITEMINDER ADVANCED PASSWORD SERVICES

ValidDomains feature is implemented in Web Agent 12.52SP1CR11 release.

Upgrade the Web Agent to 12.52SP1CR11, so that the updated APS.war is deployed.

Add "ValidDomains=example.com" entry at the end of the SmPortal.cfg file from the Web Agent installed bin folder.

To illustrate:

FPS.smaps.Agent=WA_FPS

[...omitted for brevity...]

ValidDomains=example.com,example.net

Make sure the environment variable SMPORTAL is set before starting the Tomcat server and the Web Agent.

eg:

SMPORTAL=C:\{home_web_agent}\win64\bin\SmPortal.cfg

Once the configuration is set, it will only accept whitelisted domain URLs.

Additionally, the Target URL needs to be full domain with two dots; otherwise, it will be blocked, as seen in Tomcat logs.

ERROR   2021-05-20 16:14:12,886 [http-nio-8080-exec-10] com.ca.sso.aps.Change  - Redirect URL is invalid: http://example.com