SiteMinder adminUI vulnerabilities - DOMPurify CVE-2025-26791
search cancel

SiteMinder adminUI vulnerabilities - DOMPurify CVE-2025-26791

book

Article ID: 441059

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The version of DOMPurify running on the remote system is out-of-date. Depending on the configuration, it
may be vulnerable to cross-site scripting, information disclosure, and other vulnerabilities.

Environment

PRODUCT: Symantec Siteminder

COMPONENT: AdminUI

VERSION: 12.8 SP 7 and above

OS : Any

Cause

Vulnerable Version - DOMPurify

Jun 03, 2025

 

8080

 

/ca/api/sso/services/v1/api-doc/swagger-ui-bundle.js

Vulnerable Version - DOMPurify

Jun 03, 2025

 

8443

 

/ca/api/sso/services/v1/api-doc/swagger-ui-bundle.js

Resolution

Update the 'api-doc.war' on the Siteminder AdminUI using the fixes in this KB

WINDOWS

1) Download 'DOMPurify_AdminUI_Fix.zip' from this KB and copy it to the AdminUI server.

2) Decompress 'DOMPurify_AdminUI_Fix.zip'

3) Stop the Adminui Service.

4) Back-up of the following directory:

<Siteminder_Home>\adminui\standalone\deployments\iam_siteminder.ear\api-doc.war

5)  Replace the files 'api-doc.war' with the files from 'DOMPurify_AdminUI_Fix.zip'

6) Start AdminUI Service.

LINUX

1) Download 'DOMPurify_AdminUI_Fix.tar.gz' from this KB and copy it to the AdminUI server.

2) Decompress 'DOMPurify_AdminUI_Fix.tar.gz'

3) Stop the Adminui Service.

4) Back-up of the following directory:

<Siteminder_Home>/adminui/standalone/deployments/iam_siteminder.ear/api-doc.war

5)  Replace the files 'api-doc.war' with the files from 'DOMPurify_AdminUI_Fix.tar.gz'

6) Start AdminUI Service.

Attachments

DOMPurify_AdminUI_Fix.zip get_app
DOMPurify_AdminUI_Fix.tar.gz get_app
Powered by Wolken Software