Service Desk Manager and JavaScript Hijacking: JSONP
search cancel

Service Desk Manager and JavaScript Hijacking: JSONP


Article ID: 247158


Updated On:


CA Service Management - Service Desk Manager CA Service Desk Manager


During a vulnerability scan on a Service Desk server, the following potential vulnerability was found:

This is a design flaw in the way the browser scripting is communicating with the server side components. In order to mitigate this vulnerability the way the client side and server side communicate must be changed. 

URLs affected: 

JavaScript Hijacking: JSONP https://sdmserver:9444/apps/insights/locale/es-ES/locale_insights_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/apps/l1/locale/es-ES/locale_l1_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/assets/i18n/en_US.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/assets/i18n/es_ES.json GET
JavaScript Hijacking: JSONP https://sdmserver9444/bower_components/workflowdesigner/locale/es-ES/locale_designer_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/locale/es-ES/locale_common_es-ES.json GET



Service Desk Manager 17.3

All Supported Operating Systems


Service Desk Manager uses the JSON format to return static, error messages and labels for the product UI.

Service Desk Manager does not disclose any user information data using JSON.

Therefore there is no vulnerability since no personal/secure information can be obtained.

Additional Information

CWE-346: Origin Validation Error -