Headline
CVE-2021-30650: Support Content Notification - Support Portal - Broadcom support portal
A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the OTK web UI client application.
Reflected XSS Vulnerability in Layer7 OAuth Toolkit(OTK)
Summary
The Symantec Layer7 API Management OAuth Toolkit (OTK) is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows.
Affected Product(s)
Layer7 API Management OAuth Toolkit (OTK)
CVE
Supported Version(s)
Remediation
CVE-2021-30650
Prior to v4.4.x
Upgrade to OTK 4.5 or contact Symantec Support for mitigation instructions.
Issue Details
CVE-2021-30650
Severity / CVSS v3.1:
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References:
NVD: CVE-2021-30650
Impact:
Cross-site scripting (XSS)
Description:
A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the user’s client browser in one of the OAuth flows.
Mitigation & Additional Information
Contact Symantec Support for mitigation instructions.
Acknowledgements
- CVE-2021-30650: Kirill Anikin and Daniil Morozov of Digital Compliance
Revisions
2022-02-16 initial public release