Reflected xss in Admin Console REST interface (CVE-2017-14801)

  • 7022357
  • 20-Nov-2017
  • 20-Nov-2017

Environment

Access Manager 4.3
Access Manager Administration Console
Admin Console running on Windows or Linux
CVE-2017-14801

Situation

Input xss can be appended into the REST API url parameters and reflected back into the page error message without actual xss injection execution

Resolution

Apply 4.3 SP3. The fix consists on sanitation/validation of input to represent the diverse values for cluster, service, and other ID that are required to retrieve the requested information.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.