Cross Site Scripting : CASDM is vulnerable to Cross Site Scripting.
search cancel

Cross Site Scripting : CASDM is vulnerable to Cross Site Scripting.

book

Article ID: 262905

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

XSS allows an attacker to execute a dynamic script in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing HTML on the fly to steal the user credentials. This happens because the input entered by user has been interpreted as HTML or JavaScript or VbScript by the browser. An attacker can use XSS to send a malicious script to an unsuspecting user.


Steps to replicate : 
Edit the url : 
From : http://sdmsv:8080/CAisd/pdmweb.exe?OP=REFRESH_SCOREBOARD+SID=336702883+FID=8669+TGT=scoreboard+TS=1679296066
To : http://sdmsv:8080/CAisd/pdmweb.exe?OP=REFRESH_SCOREBOARD+SID=336702883+FID=3877+TGT=alert(document.domain)+TS=1679296066

Environment

Release : 17.3

Resolution

# Install this variable first : 
pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1 
pdm_options_mgr -c -a pdm_option.inst -s VALIDATE_REQUEST_PARAMETER -v 1 -t

# Update web.cfg file with this below code : 
SecureParameter.TGT AlphabetsOnly


Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/installing/installing-ca-service-management-17-3/installing-ca-service-desk-manager/securing-ca-sdm-from-cross-site-scripting-vulnerabilities.html

Powered by Wolken Software