On Thursday, March 4, 2010, we posted a security notice for CA SiteMinder. The security notice, CA20100304-01, describes a low risk cross site scripting (XSS) vulnerability that affects only older versions of CA SiteMinder (r6.0 SP4 and earlier). The vulnerability is located in the publishing tool component code, which was developed by a 3rd party vendor (WebWorks.com). We're not aware of any publicly released exploit code or exploitation in the wild. WebWorks.com did though publish a security notice in December 2009, and detailed vulnerability information was published at that time, so successful exploitation is a relatively trivial matter.
See the links below for additional information.
CA20100304-01: Security Notice for CA SiteMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=230857
WebWorks.com Security Advisory 2009-0001
http://www.webworks.com/Security/2009-0001/
CVE-2009-3731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
Regards,
Ken Williams, Director
CA Product Vulnerability Response Team
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA.