CVE-2018-12903

Name of the Vulnerable Software and Affected Versions CyberArk Endpoint Privilege Manager version 10.2.1.603

Description The issue concerns a persistent XSS vulnerability. It can be triggered via an account name on the create token screen, the VfManager.asmx SelectAccounts->DisplayName screen, a user's groups in ConfigurationPage, the Dialog Title field, and App Group Name in the Application Group Wizard.

Recommendations For version 10.2.1.603, consider restricting access to the create token screen, VfManager.asmx, ConfigurationPage, and Application Group Wizard until a patch is available. As a temporary workaround, avoid using potentially malicious account names, DisplayNames, group names, Dialog Titles, and App Group Names in the affected screens and wizards. At the moment, there is no information about a newer version that contains a fix for this vulnerability.