Reflected xss in Admin Console REST interface (CVE-2017-14801)

  • 7022357
  • 20-Nov-2017
  • 20-Nov-2017


Access Manager 4.3
Access Manager Administration Console
Admin Console running on Windows or Linux


Input xss can be appended into the REST API url parameters and reflected back into the page error message without actual xss injection execution


Apply 4.3 SP3. The fix consists on sanitation/validation of input to represent the diverse values for cluster, service, and other ID that are required to retrieve the requested information.