Cross-Site Scripting (XSS) Vulnerability

More information

Multiple Reflected cross-site scripting (XSS) vulnerabilities exists in the F-Secure Policy Manager due to an unvalidated parameter in the endpoint a remote attacker can provide a malicious input to trigger a XSS vulnerability.

This issue was reported to WithSecure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.


User action is required. The Administrator of the system should download the Hotfix and deploy it to the F-Secure Policy Manager.

Hotfix 3 published to fix this vulnerability. 

Download and instructions on: 


WithSecure would like to thank following person for bringing this issue to our attention.

Kevin Joensen



Change log

Date : 12.05.22 : F-Secure Policy Manager Proxy is not affected by this vulnerability


  • Fixed
  • Risk level

  • Medium
  • Affected products

  • F-Secure Policy Manager for Linux F-Secure Policy Manager for Windows
  • Platforms

  • All supported platforms for the affected products
  • Date issued

  • 2022-10-19
  • Security advisories
  • Customer Support