Priority vulnerability associated with SiteMinder Web Agent found, related to the following CVE-2023-23956 (1).

Release : R12.52 webagents

All the URLs below go to the same path:

   /siteminderagent/forms/smpwservices.fcc

The main difference is the parameter where the payload goes, but they are both related to password services.

In such cases, the problem is that the input that is entered on the USERNAME parameter is entered directly into the DOM with the method document.write(), which is inherently susceptible to XSS as it can insert HTML and JavaScript into the DOM.

Add the following the Agent Configuration Object (ACO) parameters (2):

• FCCHTMLEncoding = no
• FCCHTMLEncodingChars = %22,%26,%27,%3c,%3e,%5c

Restart the Web Agent to fix this vulnerability.

Rerun the vulnerability scan to confirm it.

1. CVE-2023-23956 Detail
   
   
2. Help Prevent Attacks