CVE-2005-2204

Name of the Vulnerable Software and Affected Versions: CA eTrust SiteMinder version 5.5

Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via the PASSWORD or BUFFER parameters to "smpwservicescgi.exe", the TARGET parameter to "login.fcc", and possibly other vectors, when the CSSChecking parameter is set to "NO".

Recommendations: For CA eTrust SiteMinder version 5.5, as a temporary workaround, consider setting the CSSChecking parameter to a value other than "NO" to mitigate the risk of exploitation. Restrict access to the smpwservicescgi.exe and login.fcc endpoints to minimize the risk of XSS attacks. Avoid using the PASSWORD, BUFFER, and TARGET parameters in the affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.