Headline
CVE-2023-23949: Support Content Notification - Support Portal - Broadcom support portal
An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser.
Menu
- Products
- Solutions
- Support and Services
- Company
- How To Buy
Register Login
Multiple Vulnerabilities in Symantec Identity Manager
Product/Component
CA Identity Governance
3 more products
List of Products
4 Products
- CA Identity Governance
- CA Identity Manager
- CA Identity Portal
- CA Identity Suite
Notification Id
21174
Last Updated
25 January 2023
Initial Publication Date
20 January 2023
Status
CLOSED
Severity
HIGH
CVSS Base Score
8.1
WorkAround
Affected CVE
Summary
This security advisory covers below vulnerabilities in Symantec Identity Manager
- Multiple Reflected Cross-Site Scripting in Identity Manager
- Response Splitting in Identity Manager
- Oracle LDAP Attribute Information Disclosure in Identity Manager
Affected Product(s)
Identity Governance And Administration-Identity Manager
CVE
Supported Version(s)
Remediation
CVE-2023-23949
14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)
Identity Governance And Administration-Identity Manager
CVE
Supported Version(s)
Remediation
CVE-2023-23950
14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)
Identity Governance And Administration-Identity Manager
CVE
Supported Version(s)
Remediation
CVE-2023-23951
14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the ‘References’ section)
Issue Details
CVE-2023-23949
Severity / CVSS v3.1:
High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References:
NVD: CVE-2023-23949
Impact:
Multiple Reflected Cross-Site Scripting
Description:
An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser
CVE-2023-23950
Severity / CVSS v3.1:
High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References:
NVD: CVE-2023-23950
Impact:
Response Splitting
Description:
User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses
CVE-2023-23951
Severity / CVSS v3.0:
Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
References:
NVD: CVE-2023-23951
Impact:
Oracle LDAP Attribute Information Disclosure
Description:
Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application
Acknowledgements
- CVE-2023-23949: Christopher Vella of CyberCX
- CVE-2023-23950: Christopher Vella of CyberCX
- CVE-2023-23951: Christopher Vella of CyberCX
References
IGA 14.4:
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
IGA 14.3:
- Non-Vapp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
- VApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
Revisions
2023-1-20 Initial public release