Cross-Site Scripting (XSS) vulnerabilities in CA Service Point noted when using CA Catalog offerings

search cancel

Cross-Site Scripting (XSS) vulnerabilities in CA Service Point noted when using CA Catalog offerings

book

Article ID: 268650

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Catalog

Issue/Introduction

Below vulnerabilities are reported in 17.3 RU22:

1. In ticket comments, we can use the hyperlink functionality to execute JavaScript code. Example: javascript:alert('XSS')

We can use the hyperlink functionality to inject JavaScript code and then if we edit the comment the JavaScript can be triggered. All the injected JavaScript code can later be triggered directly in the Service Catalog Notes.

2. Dragging the "Mark conversation as high importance" button to the text box and later changing its HTML code in the HTTP request.

Environment

Release : 17.3

Resolution

Fix included in 17.3 RU23 and 17.4 RU1.

Feedback

thumb_up Yes

thumb_down No