{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3862", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "state": "PUBLISHED", "assignerShortName": "symantec", "dateReserved": "2026-03-10T05:13:18.524Z", "datePublished": "2026-03-10T14:52:52.344Z", "dateUpdated": "2026-03-10T15:40:24.948Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2026-03-10T14:52:52.344Z"}, "title": "Cross-Site Scripting Vulnerability in SiteMinder Administrative UI", "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Broadcom", "product": "SiteMinder", "modules": ["Administrative UI"], "versions": [{"status": "affected", "version": "12.9"}, {"status": "affected", "version": "12.8.x"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page."}]}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37176", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/RE:M/U:Green"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:40:21.656851Z", "id": "CVE-2026-3862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:40:24.948Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:40:21.656851Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:40:15.814Z"}}], "cna": {"title": "Cross-Site Scripting Vulnerability in SiteMinder Administrative UI", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 4.6, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Broadcom", "modules": ["Administrative UI"], "product": "SiteMinder", "versions": [{"status": "affected", "version": "12.9"}, {"status": "affected", "version": "12.8.x"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37176", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.", "supportingMedia": [{"type": "text/html", "value": "Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page.", "base64": false}]}], "providerMetadata": {"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec", "dateUpdated": "2026-03-10T14:52:52.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3862", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:40:24.948Z", "dateReserved": "2026-03-10T05:13:18.524Z", "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "datePublished": "2026-03-10T14:52:52.344Z", "assignerShortName": "symantec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_siteminder:*:*:*:*:*:*:*:*", "matchCriteriaId": "C62AB264-60E8-4814-AF98-6288B0AEDD38", "versionEndIncluding": "12.8.08", "versionStartIncluding": "12.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:symantec_siteminder:12.9:*:*:*:*:*:*:*", "matchCriteriaId": "5C71B006-8C2C-4BB9-AEEE-5B88612A1965", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page."}, {"lang": "es", "value": "Cross-site scripting (XSS) permite a un atacante enviar datos especialmente dise\u00f1ados a la aplicaci\u00f3n que son devueltos sin alterar en la p\u00e1gina web resultante."}], "id": "CVE-2026-3862", "lastModified": "2026-05-07T18:21:07.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:M/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "secure@symantec.com", "type": "Secondary"}]}, "published": "2026-03-10T18:19:06.200", "references": [{"source": "secure@symantec.com", "tags": ["Permissions Required"], "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37176"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "12.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[12.8.0,12.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SiteMinder", "source": "cna", "vendor": "Broadcom"}, "product": "siteminder", "vendor": "broadcom"}], "analysis": {"en": {"generated_at": "2026-04-16T09:50:43.933004+00:00", "value": {"mitigation_remediation": ["Apply the latest Broadcom SiteMinder patch or upgrade to a version that includes the XSS fix.", "Configure the administrative UI to encode all user\u2011supplied data before rendering, ensuring outputs are properly escaped for HTML and JavaScript contexts.", "Limit access to the SiteMinder management console to trusted administrators and enforce strong authentication to reduce the attack surface.", "Deploy a web application firewall rule that detects and blocks typical XSS payload patterns entering the administrative UI."], "summary": {"action": "Monitor", "impact": "Client Side Code Execution via Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Broadcom SiteMinder administrators using the web\u2011based management console are impacted. The advisory references the Broadcom product line without specifying affected releases, so all versions that expose the unvalidated input path within the administrative UI should be considered vulnerable until a fix is applied.", "description_and_impact": "The vulnerability is a classic Cross\u2011Site Scripting flaw that allows an attacker to submit crafted input which is echoed back in the SiteMinder administrative web interface without proper sanitization. Because the data is displayed unchanged, a malicious payload can run in the browser of any user who views the affected page, enabling script execution, cookie theft, session hijacking, or UI manipulation. The weakness is identified as CWE\u201179, and the CVSS score of 4.6 reflects low\u2011to\u2011moderate impact for attackers who can access the admin UI.", "risk_and_exploitability": "With an EPSS below 1% and no listing in the KEV catalog, public exploitation is currently improbable, but the existence of the flaw means that anyone with administrative login credentials or an ability to inject content into the UI can trigger the risk. Attackers would need to direct a compromised user to view the malicious page or gain a foothold in the admin console. The advisory does not provide an exploit example, so while the risk remains theoretical, the potential for client\u2011side compromise warrants ongoing monitoring and timely patching."}}}}, "created": "2026-03-11T11:50:07.849617+00:00", "updated": "2026-04-16T10:00:14.066056+00:00", "vendors": ["broadcom", "broadcom$PRODUCT$siteminder"]}