Cross-Site Scripting vulnerability and Spectrum

Document ID : KB000015733
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Below are the details on the Cross-Site Scripting vulnerability.

 

Cross-Site Scripting 

Severity: High 

CVSS Score: 7.5 

URL: https://oneclick.it.slb.com/spectrum/common/do/about 

Entity: aboutAppName (Parameter) 

Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user 

Causes: Sanitation of hazardous characters was not performed correctly on user input 

Fix: Review possible solutions for hazardous character injection 

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.

Question:

Is Spectrum susceptible to the Cross-Site Scripting vulnerability and if so, are there any plans to protect against it? 

Answer:

The Cross-Site Scripting vulnerability is scheduled to be addressed in Spectrum 10.02.02.00. There is no projected release date for Spectrum 10.02.02.00 at the time this knowledge document was published.