Service Desk Manager and JavaScript Hijacking: JSONP
search cancel

Service Desk Manager and JavaScript Hijacking: JSONP

book

Article ID: 247158

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

During a vulnerability scan on a Service Desk server, the following potential vulnerability was found:

This is a design flaw in the way the browser scripting is communicating with the server side components. In order to mitigate this vulnerability the way the client side and server side communicate must be changed. 

URLs affected: 

JavaScript Hijacking: JSONP https://sdmserver:9444/apps/insights/locale/es-ES/locale_insights_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/apps/l1/locale/es-ES/locale_l1_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/assets/i18n/en_US.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/assets/i18n/es_ES.json GET
JavaScript Hijacking: JSONP https://sdmserver9444/bower_components/workflowdesigner/locale/es-ES/locale_designer_es-ES.json GET
JavaScript Hijacking: JSONP https://sdmserver:9444/locale/es-ES/locale_common_es-ES.json GET

 

Environment

Service Desk Manager 17.x

All Supported Operating Systems

Resolution

Service Desk Manager uses the JSON format to return static, error messages and labels for the product UI.

Service Desk Manager does not disclose any user information data using JSON.

Therefore there is no vulnerability since no personal/secure information can be obtained.

Additional Information

CWE-346: Origin Validation Error - https://cwe.mitre.org/data/definitions/346.html