Change Download Preference

Current Preference
Change Preference to:

CA20131024-01: Security Notice for CA SiteMinder

Issued: October 24, 2013
Last Updated: October 31, 2013

CA Technologies Support is alerting customers to a potential vulnerability in CA SiteMinder that can be mitigated by utilizing existing product functionality. The vulnerability, CVE-2013-5968, can potentially allow a remote attacker to conduct a reflected cross-site scripting attack and execute script in the security context of the SiteMinder domain. Customers should review their SiteMinder deployments to verify that the vulnerability mitigating functionality is enabled.

Risk Rating



All platforms

Affected Products

CA SiteMinder 12.51
CA SiteMinder 12.5
CA SiteMinder 12.0
CA SiteMinder 6 Web Agents

How to determine if the installation is affected

Ensure cross-site scripting checking is enabled and the BadCSSChars setting contains the hexadecimal double quote, "%22". Alternatively, for SiteMinder 12.51, verify that FCCHTMLEncoding is enabled. See the solution section for details.


CA Technologies support is referring customers to guidance provided in the product documentation that describes how to protect against this vulnerability.

SiteMinder 12.51 only:

Enable FCC HTML encoding with FCCHTMLEncoding. For more information on this configuration setting, see the section titled "Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages" in the Web Agent Configuration Guide 12.51.



SiteMinder 6, 12.0, 12.5, and as an alternative to the above solution for 12.51:

These instructions are derived from the CA SiteMinder Web Agent Configuration Guide 12.5. Review the sections titled "Protect Web Sites Against Cross-Site Scripting" and "Configure the Web Agent to Check For Cross Site-Scripting" starting on page 65 for more information.

  1. Add the hexadecimal equivalent for the double quote character, "%22", to the BadCSSChars setting.



    *Note: Setting BadCSSChars overrides the default cross-site scripting character set. SiteMinder administrators need to carefully review the setting to ensure all cross-site scripting characters are blocked for their specific environment.

  2. Enable cross-site scripting checking by setting CSSChecking to yes.




CVE-2013-5968 - SiteMinder CSS


CVE-2013-5968 - Zachary Pritchard, Cigital

Change History

Version 1.0: Initial Release
Version 1.1: 2013-10-25 Updated the description to specify the type of cross-site site scripting; reflected.
Version 1.2: 2013-10-30 Updated the Solution section to include an alternate configuration solution for SiteMinder 12.51

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.