UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

tc Server CaSa must be configured with a cross-site scripting (XSS) filter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-241677 VROM-TC-000625 SV-241677r879650_rule Medium
Description
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. As a web server, tc Server can be vulnerable to XSS if steps are not taken to mitigate the threat. VMware provides the XssFilter component to provide a layer of defense against XSS. Filters are Java objects that performs filtering tasks on either the request to a resource (a servlet or static content), or on the response from a resource, or both.
STIG Date
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide 2023-09-12

Details

Check Text ( C-44953r683891_chk )
At the command prompt, execute the following command:

grep -B 2 -A 7 XssFilter /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml

If the XSS filter is not present and there is no result returned, then this is a finding.
Fix Text (F-44912r683892_fix)
Navigate to and open /usr/lib/vmware-casa/casa-webapp/webapps/admin/WEB-INF/web.xml.

Configure a node with the below configuration:


xssfilter
com.vmware.vcops.ui.util.XssFilter



fileIncludes
/vcops/services/api.js,/vcops/services/api-debug.js,/vcops/services/api-debug-doc.js



xssfilter
/vcops/services/*