Bmc · Bmc Myit Java System Solutions Sso Plugin · CVE-2018-15528
**Name of the Vulnerable Software and Affected Versions**
BMC MyIT Java System Solutions SSO plugin version 4.0.13.1
**Description**
A Reflected Cross-Site Scripting issue exists, allowing a remote attacker to inject client-side scripts into the `select sso()` function. This is triggered when a victim opens a prepared "/ux/jss-sso/arslogin?[XSS]" link and then clicks the "Login" button.
**Recommendations**
For BMC MyIT Java System Solutions SSO plugin version 4.0.13.1, consider disabling the `select sso()` function until a patch is available to prevent exploitation. Restrict access to the "/ux/jss-sso/arslogin" endpoint to minimize the risk of injection of malicious scripts.