Spectrum 10.x WebClient XSS Vulnerable

Document ID : KB000047076
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

Spectrum OneClick Web Client XSS attack vulnerabilities

Question: 

Is Spectrum OneClick vulnerable to Persistent XSS Injection Vulnerabilities?

Environment:  

Spectrum 10.1, 10.1.1, 10.1.2, 10.2

Answer: 

Yes, the Spectrum Web Client is vulnerable to XSS injection vulnerabilities, among other components used by Spectrum. The XSS injection vulnerabilities are planned to be addressed post Spectrum 10.2. There is no workaround at this time.

Note: The OneClick Java Console is not affected.

The following XSS Injection Defects have been raised and are planned to be resolved post Spectrum 10.2:

DE159132 XSS in Cisco works page  

DE159146 XML external entity (XXE) injection  

DE159150 XSS in eHealth Configurations  

DE159152 XSS in Email Configurations  

DE159153 XSS in Landscape name  

DE159154 XSS in LDAP Configurations  

DE159155 XSS in NSM Configurations  

DE159156 XSS in One Click Client Configuration  

DE159157 Cross Site Scripting in Administration UIM Configuration  

DE159160 XSS in Service Desk Configuration  

DE159161 XSS in SDN Gateway Integration Configuration  

DE159370 XSS in SPM Data Export  

DE159376 XSS in SSL Certificates 

DE159406 XSS in Wily Configurations  

DE159409 Cross Site Scripting Vulnerability in entire Application  

DE160439 Deserialization vulnerability in Spectrum Oneclick server 

DE160440 XSS in Backup/Recovery/Manage backups  

DE160441 XSS in Business Objects Integration 

DE160446 XSS in Outage Device/Model  

DE160447 XSS in Preferences  

DE160443 XSS in Jasper Integration 

 

Additional Information:

User Story: US175228
Parent Story: F27404