Vigil@nce: CA SiteMinder, Cross Site Scripting via WebWorks Help
March 2010 by Vigil@nce
An attacker can use the WebWorks Help in order to generate a Cross
Site Scripting in CA SiteMinder.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/03/2010
IMPACTED PRODUCTS
– CA SiteMinder
DESCRIPTION OF THE VULNERABILITY
The WebWorks Help (wwhelp) format is used to create online help
pages. It is used by the CA SiteMinder product.
However, a Cross Site Scripting was announced in WebWorks Help. It
also impacts CA SiteMinder.
An attacker can therefore invite the victim to access to a
malicious url, in order to execute JavaScript code in the context
of the CA SiteMinder product.
CHARACTERISTICS
– Identifiers: CA20100304-01, CVE-2009-3731, VIGILANCE-VUL-9499
– Url: http://vigilance.fr/vulnerability/CA-SiteMinder-Cross-Site-Scripting-via-WebWorks-Help-9499