When an user updates a ticket, the user could insert some js script into the description field which causes the XSS vulnerability.  For example

1. Go to the left menu for some ticket list.
2. Click on a ticket from the ticket list.
3. A new window appears, Go to the top menu click on the Activities > Callback
4. A new window appears, in the User Description field enter the following text and save
<img/src/onerror=prompt()>

Once save, the js script runs and a popup box displays.

CA Service Desk Manager 17.3 and higher

Please take a look at

Securing CA SDM from Cross-Site Scripting Vulnerabilities

You would need to check if 

@NX_VALIDATE_REQUEST_PARAMETER=1

present in the NX.env file and if NOT, you would need to install this option according to the techdocs mentioned above.

For your specific case, you would also need to add

Windows_SecureValidator.AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot ^[A-Za-z0-9-_: =,\\%.]*$ 

SecureParameter.ALG.DESCRIPTION AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot 

SecureParameter.ALG.ACTION_DESC AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot

to SDM-install\bopcfg\www\web.cfg file in the proper sessions and restart SDM. 

After that, when an user tries to insert some js script to activity log(like Callback description) like

<img/src/onerror=prompt()>

the user will get an AHD argument error and NO js script will run.

The resolution provided is good for incident/request/problem/change order type tickets. For issues you would need to add the following to the web.cfg file

SecureParameter.SET.ISSALG.DESCRIPTION AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot
SecureParameter.SET.ISSALG.ACTION_DESC AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot
SecureParameter.SET.ACTIONS AlphaNumericHiphenUnderScoreColonSpaceEqualCommaPercentDot