Signature Detail

HTTP: HTML Script Tag Embedded in Cookie

This signature detects attempts at cross-site scripting attacks. Attackers can create a malicious Web site that includes HTML embedded in the hyperlinks, which can violate site security settings. A victim that accesses these hyperlinks can allow the attacker to view the victim's Web cookies. Web cookies typically contain sensitive information.

Extended Description

Computer Associates SiteMinder Web Agent is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. We were not told which versions are affected. We will update this BID as more information emerges.

Affected Products

• Computer Associates SiteMinder 6.0
• Computer Associates SiteMinder
• Computer Associates SiteMinder Web Agent

References

• BugTraq: 26375
• CERT: CA-2000-02
• CVE: CVE-2015-1628
• CVE: CVE-2007-5923