Novell Access Manager Identity Server IssueInstant Parameter Cross-Site Scripting Vulnerability

Bugtraq ID:	21921
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 08 2007 12:00AM
Updated:	Jan 08 2007 08:50PM
Credit:	The vendor disclosed this issue.
Vulnerable:	Novell Access Manager 3
Not Vulnerable:

Novell Access Manager Identity Server IssueInstant Parameter Cross-Site Scripting Vulnerability

Access Manager Identity Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Novell Access Manager Identity Server IssueInstant Parameter Cross-Site Scripting Vulnerability

An attacker can exploit this issue with a web client.

The following proof-of-concept URI is available:

• /data/vulnerabilities/exploits/21921.html

Novell Access Manager Identity Server IssueInstant Parameter Cross-Site Scripting Vulnerability

Solution:
The vendor has released a fix to address this issue. Please see the referenced advisory and contact the vendor for information on how to obtain and apply this fix.

Novell Access Manager Identity Server IssueInstant Parameter Cross-Site Scripting Vulnerability

References:

• Access Manager Homepage (Novell)
  
• Cross scripting (XSS) vulnerability with Access Manager Identity Server (Novell)