XSS Vulnerability with ESP URL (CVE-2017-14799)

  • Document ID:7022358
  • Creation Date:20-Nov-2017
  • Modified Date:20-Nov-2017
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Access Manager 4.3
Access Gateway Embedded Service Provider
CVE-2017-14799

Situation

Input xss can be appended into ESP login url parameters and reflected back into the response message where xss injection execution can be performed.

Resolution

Apply 4.3.3. The fix consists on sanitation/validation of input ESP login URL.