Cross-site scripting vulnerability in ICAP patience page
Date:
29 September 2008
Severity:
Low
Description:
The ICAP patience page (used to notify the user that a requested object is being scanned) is vulnerable to a cross-site scripting attack.
Workaround:
Customize the "details" section of the ICAP patience page so that it does not include the $(url) substitution.
The details section can be customized using the Management Console by accessing Configuration->External Services->ICAP and selecting the "ICAP Patience Page" tab, or via the CLI from the "external-services" mode using the "inline http icap-patience details" command.
Affected Versions:
4.2, 5.2, 5.3
Will be fixed in:
4.2.9, 5.2.5, 5.3.1.7
Reference:
Security Focus BugTraq
.gif){kind=small}