During a vulnerability scan on a Service Desk server, the following potential vulnerability was found:
This is a design flaw in the way the browser scripting is communicating with the server side components. In order to mitigate this vulnerability the way the client side and server side communicate must be changed.
URLs affected:
JavaScript Hijacking: JSONP | https://sdmserver:9444/apps/insights/locale/es-ES/locale_insights_es-ES.json | GET |
JavaScript Hijacking: JSONP | https://sdmserver:9444/apps/l1/locale/es-ES/locale_l1_es-ES.json | GET |
JavaScript Hijacking: JSONP | https://sdmserver:9444/assets/i18n/en_US.json | GET |
JavaScript Hijacking: JSONP | https://sdmserver:9444/assets/i18n/es_ES.json | GET |
JavaScript Hijacking: JSONP | https://sdmserver9444/bower_components/workflowdesigner/locale/es-ES/locale_designer_es-ES.json | GET |
JavaScript Hijacking: JSONP | https://sdmserver:9444/locale/es-ES/locale_common_es-ES.json | GET |
Service Desk Manager 17.x
All Supported Operating Systems
Service Desk Manager uses the JSON format to return static, error messages and labels for the product UI.
Service Desk Manager does not disclose any user information data using JSON.
Therefore there is no vulnerability since no personal/secure information can be obtained.
CWE-346: Origin Validation Error - https://cwe.mitre.org/data/definitions/346.html