In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA Security Console Administrator could craft a token profile and store the profile name in the RSA Authentication Manager database. The profile name could include a crafted script (with an XSS payload) that could be executed when viewing or editing the assigned token profile in the token by another administrator’s browser session.
[
{
"product": "RSA Authentication Manager 8.2 SP1 and earlier",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "RSA Authentication Manager 8.2 SP1 and earlier"
}
]
}
]