Today we published a security notice and fixes to address a medium risk, publicly known vulnerability in CA SiteMinder. The vulnerability, CVE-2011-4054,
occurs due to insufficient validation of postpreservationdata parameter input
utilized in the login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser. Vulnerability details were first publicized by CERT on 2011-12-07 in US-CERT Vulnerability Note VU#713012 – CA Siteminder login.fcc form xss vulnerability. We are not aware of any active exploitation, and due to the lower risk, we do not anticipate any widespread exploitation. Note that fixes are currently available only for SiteMinder R12. Fixes for SiteMinder R6 should be available in January 2012.
Notice for CA SiteMinder
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA Technologies.
Latest posts by Ken Williams (see all)
- CA20140218-01: Security Notice for CA 2E Web Option - February 18, 2014
- Investigating publicly disclosed vulnerability in CA 2E Web Option (CVE-2014-1219) - February 13, 2014
- Update: CA20121220-01: Security Notice for CA IdentityMinder - January 18, 2013