CVE-2024-36459 - Vulnerability Details - OpenCVE

Description

A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.

Published: 2024-06-14

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Broadcom

Symantec SiteMinder

unaffected

Version	Status	Constraints
`R 12.52 SP1 CR11 and below`	affected	—
`R12.8`	affected	—

No data.

No data.

No data available yet.

Remediation

Vendor Solution

Fix patches available

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-36103	A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00322.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537

History

No history.

Subscriptions

Broadcom Symantec Siteminder

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2024-06-14T12:06:19.298Z

Updated: 2024-08-02T03:37:05.267Z

Reserved: 2024-05-28T10:24:37.079Z

Link: CVE-2024-36459

Vulnrichment

Updated: 2024-06-18T16:36:37.214Z

NVD

Status : Awaiting Analysis

Published: 2024-06-14T12:15:09.743

Modified: 2024-11-21T09:22:13.967

Link: CVE-2024-36459

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-93

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36459", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "state": "PUBLISHED", "assignerShortName": "symantec", "dateReserved": "2024-05-28T10:24:37.079Z", "datePublished": "2024-06-14T12:06:19.298Z", "dateUpdated": "2024-08-02T03:37:05.267Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Symantec SiteMinder", "vendor": "Broadcom", "versions": [{"status": "affected", "version": "R 12.52 SP1 CR11 and below"}, {"status": "affected", "version": "R12.8"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Citi VA Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser. </span>"}], "value": "A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2024-06-21T17:49:24.972Z"}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"}, {"url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Fix patches available <br>"}], "value": "Fix patches available"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting Vulnerability in Symantec SiteMinder Web Agent", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-93", "lang": "en", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "affected": [{"vendor": "broadcom", "product": "symantec_siteminder", "cpes": ["cpe:2.3:a:broadcom:symantec_siteminder:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "r12.52_sp1_cr11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-18T16:44:38.417263Z", "id": "CVE-2024-36459", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T16:44:41.186Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.267Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537", "tags": ["x_transferred"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-18T16:44:38.417263Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:broadcom:symantec_siteminder:*:*:*:*:*:*:*:*"], "vendor": "broadcom", "product": "symantec_siteminder", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "r12.52_sp1_cr11"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T16:36:37.214Z"}}], "cna": {"title": "Cross-Site Scripting Vulnerability in Symantec SiteMinder Web Agent", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Citi VA Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Broadcom", "product": "Symantec SiteMinder", "versions": [{"status": "affected", "version": "R 12.52 SP1 CR11 and below"}, {"status": "affected", "version": "R12.8"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Fix patches available", "supportingMedia": [{"type": "text/html", "value": "Fix patches available <br>", "base64": false}]}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"}, {"url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser. </span>", "base64": false}]}], "providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2024-06-21T17:49:24.972Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36459", "state": "PUBLISHED", "dateUpdated": "2024-06-21T17:49:24.972Z", "dateReserved": "2024-05-28T10:24:37.079Z", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "datePublished": "2024-06-14T12:06:19.298Z", "assignerShortName": "symantec"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de cross-site scripting CRLF en determinadas configuraciones del Agente web de SiteMinder para el servidor web IIS y del Agente web de SiteMinder para el servidor web Domino. Como resultado, un atacante puede ejecutar c\u00f3digo Javascript arbitrario en el navegador de un cliente."}], "id": "CVE-2024-36459", "lastModified": "2024-11-21T09:22:13.967", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "HIGH"}, "source": "secure@symantec.com", "type": "Secondary"}]}, "published": "2024-06-14T12:15:09.743", "references": [{"source": "secure@symantec.com", "url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"}, {"source": "secure@symantec.com", "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}