Security vulnerability is reported after a server vulnerability scan.

The page referenced is an OOTB page and authscheme.

Severity Rating: Medium

https://example.example.com/siteminderagent/forms/smpwservices.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7

Note: Here 'example.example.com' is WebAgent Host FQDN.

Vulnerability Summary: Cross-Site Scripting (XSS) 

Impact:

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.

Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.

All policy server releases: 12.8

Web agent:12.52

1. During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, do the following procedures per the documentation (Remove the Login ID When Redirecting for Password Services): How to Configure Password Policies

3. Additionally, one can implement an ACO parameter called SecureURLs (Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL). This option often is not practical to implement, due to a large number of apps and agents are already integrated with production. However, it is the ultimate solution.

SecureURLs is used for encrypting query string parameters in redirection URLs within a single sign-on environment, when doing so, ensure that all Web Agents in the single sign-on environment have the SecureURLs parameter set to the same value.

See Encrypt Query String Parameters in Redirection URLs.