XSS Vulnerability in SSPR

SSPR 2.x and SSPR 3.x are vulnerable to a cross-site-scripting (XSS) attack in which an attacker can inject arbitrary javascript into a user's browser session by getting the user to click on a specially crafted link. After the initial attack, the affected parameter persists in the user's cookie, and will re-trigger the execution of the injected script every time that the user visits the affected page until the cookie expires (default 1 week).

The issue has been assigned CVE-2016-1599.

Apply SSPR 3.3.1 HF2 or later.

References:

Micro Focus Bug 967461.  

CVE-2016-1599.