CVE-2023-23956: Support Content Notification - Support Portal - Broadcom support portal

Cross-Site Scripting Vulnerability in Symantec SiteMinder Web Agent

Summary

The Symantec SiteMinder Web Agent is susceptible to cross-site scripting attacks, where an attack URL can be presented to unsuspecting users. When a user clicks on the URL, an application may return a display to the browser that includes the input characters, along with an error message about bad parameters on the query string. The display of these parameters in the browser can lead to an unwanted script being executed on the browser.

This advisory provides guidelines to help customers prevent such attacks.

Affected Product(s)

Issue Details

CVE-2023-23956

Severity / CVSS v3.0:

Medium / 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

References:

NVD: CVE-2023-23956

Impact:

Cross-Site Scripting

Description:

A user can supply malicious HTML and JavaScript code that will be executed in the client browser

Mitigation & Additional Information

Customer can prevent the above mentioned cross-site scripting attacks by following the guidelines: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/help-prevent-attacks.html

Acknowledgements

• CVE-2023-23956: Harshit Joshi, https://www.linkedin.com/in/harshitjoshi01/

Revisions

2023-May-27 Initial public release