Access Manager 4.2 default login pages suffering from Reflected Cross-Site Scripting (XSS) vulnerability

  • 7017810
  • 04-Jul-2016
  • 22-Jul-2016


NetIQ Access Manager 4.2
Access Manager Identity Server


Access Manager 4.2 shipped with a new portal page designed to show appmarks. To simplify this portal page and it's branding a new set of JSP pages were released. However 'id' parameter in the Identity Server is vulnerable to Reflected Cross-Site Scripting (XSS) attack. This weakness can be exploited by an attacker to execute arbitrary JavaScript code within the context of other users and send all login credentials to the attacker himself. This way it is possible to highjack the user’s account.

As an example, the attacker could send the following URL to the user to trigger an alert:'-alert(1)-'b1uso&sid=0

Other formats may be used to trigger the same eg.<script>alert(1)</script>b1uso&sid=0


Fixed in 4.2.2.

To workaround issues in earlier versions of 4.2.2, make sure that any custom pages follow the best practice at