Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
29 Sep 2008 Closed Low
The ICAP patience page (used to notify the user that a requested object is being scanned) is vulnerable to a cross-site scripting attack.
Customize the "details" section of the ICAP patience page so that it does not include the $(url) substitution.
The details section can be customized using the Management Console by accessing Configuration->External Services->ICAP and selecting the "ICAP Patience Page" tab, or via the CLI from the "external-services" mode using the "inline http icap-patience details" command.