Service Desk Manager and JavaScript Hijacking: JSONP
Article ID: 247158
Updated On:
Products
CA Service Management - Service Desk Manager
CA Service Desk Manager
Issue/Introduction
During a vulnerability scan on a Service Desk server, the following potential vulnerability was found:
This is a design flaw in the way the browser scripting is communicating with the server side components. In order to mitigate this vulnerability the way the client side and server side communicate must be changed.
URLs affected:
| JavaScript Hijacking: JSONP | https://sdmserver:9444/apps/insights/locale/es-ES/locale_insights_es-ES.json | GET |
| JavaScript Hijacking: JSONP | https://sdmserver:9444/apps/l1/locale/es-ES/locale_l1_es-ES.json | GET |
| JavaScript Hijacking: JSONP | https://sdmserver:9444/assets/i18n/en_US.json | GET |
| JavaScript Hijacking: JSONP | https://sdmserver:9444/assets/i18n/es_ES.json | GET |
| JavaScript Hijacking: JSONP | https://sdmserver9444/bower_components/workflowdesigner/locale/es-ES/locale_designer_es-ES.json | GET |
| JavaScript Hijacking: JSONP | https://sdmserver:9444/locale/es-ES/locale_common_es-ES.json | GET |
Environment
Service Desk Manager 17.x
All Supported Operating Systems
Resolution
Service Desk Manager uses the JSON format to return static, error messages and labels for the product UI.
Service Desk Manager does not disclose any user information data using JSON.
Therefore there is no vulnerability since no personal/secure information can be obtained.
Additional Information
CWE-346: Origin Validation Error - https://cwe.mitre.org/data/definitions/346.html
Feedback
Yes
No
Powered by
