XSS Vulnerability in SSPR

  • 7017399
  • 22-Mar-2016
  • 22-Mar-2016

Environment

Self Service Password Reset 
SSPR 2.x
SSPR 3.x up to and including 3.3.1.1

Situation

SSPR 2.x and SSPR 3.x are vulnerable to a cross-site-scripting (XSS) attack in which an attacker can inject arbitrary javascript into a user's browser session by getting the user to click on a specially crafted link. After the initial attack, the affected parameter persists in the user's cookie, and will re-trigger the execution of the injected script every time that the user visits the affected page until the cookie expires (default 1 week).

The issue has been assigned CVE-2016-1599.

Resolution

Apply SSPR 3.3.1 HF2 or later.


References:
Micro Focus Bug 967461.  
CVE-2016-1599.