By: Kevin Kotas
Kevin Kotas is an Engineering Services Architect with the CA Product Vulnerability Response Team. He has over eleven years of vulnerability management experience and discovered several vulnerabilities in products from multiple major software providers. Kevin holds a B.S. degree in Computer Science from...
Read More..
Published:
March 04 2010, 11:35 AM
|
no comments
by
Ken Williams
On Thursday, March 4, 2010, we posted a security notice for CA SiteMinder. The security notice, CA20100304-01, describes a low risk cross site scripting (XSS) vulnerability that affects only older versions of CA SiteMinder (r6.0 SP4 and earlier). The vulnerability is located in the publishing tool component code, which was developed by a 3rd party vendor (WebWorks.com). We're not aware of any publicly released exploit code or exploitation in the wild. WebWorks.com did though publish a security notice in December 2009, and detailed vulnerability information was published at that time, so successful exploitation is a relatively trivial matter.
See the links below for additional information.
CA20100304-01: Security Notice for CA SiteMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=230857
WebWorks.com Security Advisory 2009-0001
http://www.webworks.com/Security/2009-0001/
CVE-2009-3731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
Regards,
Ken Williams, Director
CA Product Vulnerability Response Team
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA.
By: Ken Williams
Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst...
Read More..