Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23949: Support Content Notification - Support Portal - Broadcom support portal

An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser.

CVE
#xss#vulnerability#java#oracle#ldap#auth

Menu

  • Products
  • Solutions
  • Support and Services
  • Company
  • How To Buy

Register Login

Multiple Vulnerabilities in Symantec Identity Manager

Product/Component

CA Identity Governance

3 more products

List of Products

4 Products

  • CA Identity Governance
  • CA Identity Manager
  • CA Identity Portal
  • CA Identity Suite

Notification Id

21174

Last Updated

25 January 2023

Initial Publication Date

20 January 2023

Status

CLOSED

Severity

HIGH

CVSS Base Score

8.1

WorkAround

Affected CVE

Summary

This security advisory covers below vulnerabilities in Symantec Identity Manager

  • Multiple Reflected Cross-Site Scripting in Identity Manager
  • Response Splitting in Identity Manager
  • Oracle LDAP Attribute Information Disclosure in Identity Manager

Affected Product(s)

Identity Governance And Administration-Identity Manager

CVE

Supported Version(s)

Remediation

CVE-2023-23949

14.3 CP3
14.4.1
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)

Identity Governance And Administration-Identity Manager

CVE

Supported Version(s)

Remediation

CVE-2023-23950

14.3 CP3
14.4.1
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)

Identity Governance And Administration-Identity Manager

CVE

Supported Version(s)

Remediation

CVE-2023-23951

14.3 CP3
14.4.1
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)

Issue Details

CVE-2023-23949

Severity / CVSS v3.1:

High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

References:

NVD: CVE-2023-23949

Impact:

Multiple Reflected Cross-Site Scripting

Description:

An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser

CVE-2023-23950

Severity / CVSS v3.1:

High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

References:

NVD: CVE-2023-23950

Impact:

Response Splitting

Description:

User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses

CVE-2023-23951

Severity / CVSS v3.0:

Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

References:

NVD: CVE-2023-23951

Impact:

Oracle LDAP Attribute Information Disclosure

Description:

Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application

Acknowledgements

  • CVE-2023-23949: Christopher Vella of CyberCX
  • CVE-2023-23950: Christopher Vella of CyberCX
  • CVE-2023-23951: Christopher Vella of CyberCX

References

IGA 14.4:

    • Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
    • vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

IGA 14.3:

    • Non-Vapp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
    • VApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

Revisions

2023-1-20 Initial public release

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907