The Siteminder AdminUI could be susceptible to Cross-Site Scripting (XSS) attacks when configured out of the box.
Example: https://adminui/iam/siteminder/console/ui7/<script>documentlocation="http://my_malicious_site/</script>
Release : 12.8.03; r12.8.4; r12.8.5; r12.8.6; r12.8.7
Like any web server or web application the hardening is not done OOTB. This needs to be configured.
Option #1: Protect the Siteminder AdminUI with Siteminder Access Gateway. Implement the following in the Agent Configuration Object (ACO):
CSSChecking = yes
BadCSSChars = <,',>,%22
NOTE: Review the 'Help Prevent Attacks' section of the Siteminder product guide to determine if there are other characters you would like to implement as well as whether you wanted to also implement 'BadUrlChars', 'BadFormChars', 'BadQueryChars', 'IpChecking', etc.
Option #2: Implement the attached fix to filter the bad chars from within JBoss Wildfly on the Siteminder AdminUI.
1) Download "AdminUI-CharFilter.zip" (attached)
2) Installation instructions are in the 'readme.txt' file contained within.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html