Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability

Bugtraq ID:	50962
Class:	Input Validation Error
CVE:	CVE-2011-4054
Remote:	Yes
Local:	No
Published:	Dec 07 2011 12:00AM
Updated:	Aug 28 2012 10:10AM
Credit:	Jon Passki of Aspect Security
Vulnerable:	Computer Associates SiteMinder R6 SP6 CR7 Computer Associates SiteMinder R12 SP3 CR8 Computer Associates SiteMinder R12 Computer Associates SiteMinder 6QMR5 CR13 Computer Associates SiteMinder 6.0 SP4 Computer Associates SiteMinder 6.0 CR31 Computer Associates SiteMinder 6.0 Computer Associates SiteMinder 0
Not Vulnerable:

Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability

Computer Associates SiteMinder is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URI.

Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more information.

Computer Associates SiteMinder 'login.fcc' Cross Site Scripting Vulnerability

References:

• Computer Associates Homepage (Computer Associates)
  
• Vulnerability Note VU#713012 (US-CERT)