Marco Murch

**Name of the Vulnerable Software and Affected Versions** BMC MyIT Java System Solutions SSO plugin version 4.0.13.1 **Description** A Reflected Cross-Site Scripting issue exists, allowing a remote attacker to inject client-side scripts into the `select sso()` function. This is triggered when a victim opens a prepared "/ux/jss-sso/arslogin?[XSS]" link and then clicks the "Login" button. **Recommendations** For BMC MyIT Java System Solutions SSO plugin version 4.0.13.1, consider disabling the `select sso()` function until a patch is available to prevent exploitation. Restrict access to the "/ux/jss-sso/arslogin" endpoint to minimize the risk of injection of malicious scripts.