This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

'Unsafe characters detected in URL parameters. Possible XSS attack.' accessing Dashboards in version 7.0.2+ of RSA Identity Governance & Lifecycle

Article Number

000036181

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2+
 

Issue

After upgrading RSA Identity Governance & Lifecycle to 7.0.2 or higher from a version prior to 7.0.2, accessing user Dashboards result in the following errors:
 
The request could not be handled
 
Unable to create page for page ID
"<name of page being accessed>"

Unsafe characters detected in URL parameters. Possible
XSS attack.
 
Image descriptionImage description 

 

Cause

This issue occurs when using a bookmark of a Dashboard that was saved prior to 7.0.2. Starting in 7.0.2 security was increased for Cross-Site Scripting (XSS). The format of the URL saved in the bookmark is now flagged as a possible XSS attack. The format that causes this behavior are '+' signs in the URL.

For example, the following bookmarked URL in 6.9.1 brings the user successfully to their dashboard page:
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_Terminated+Password+Vault+Reviewers_DashboardDisplayPageData

Starting in 7.0.2 and higher, the same URL would fail and flag a potential XSS attack. To resolve this problem, URLs in version 7.0.2 or higher are stripped of any '+' signs as in the example below: 
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_TerminatedPasswordVaultReviewers_DashboardDisplayPageData

Because an RSA Identity Governance & Lifecycle patch does not modify user bookmarks, the older version of the URL is accessed when using the bookmark and the potential XSS risk is flagged.
 

Resolution

For each Dashboard that has this issue, delete the old bookmark that accesses that Dashboard and create a new bookmark:
  1. Delete the problematic bookmark (browser dependent.)
  2. Login to the RSA Identity Governance & Lifecycle user interface.
  3. Navigate to the Dashboard that was no longer reachable via the bookmark. Note the Dashboard is now accessible and the URL has no '+' signs. This is the URL format required for 7.0.2 and above.
  4. Save the bookmark (browser dependent.)
  5. Access the bookmark and note that the Dashboard is now accessible.

 
Tags (79)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 09:17 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.