CA Identity Governance version 12.6 suffers from a cross site scripting vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
CA20171114-01: Security Notice for CA Identity Governance
Issued: November 14, 2017
Last Updated: November 14, 2017
CA Technologies support is alerting customers to a potential risk
with CA Identity Governance. A vulnerability exists that can
potentially allow a malicious actor to conduct cross-site scripting
attacks. CA published a solution to resolve the issue.
The vulnerability, CVE-2017-9394, occurs due to insufficient input
validation that can result in a stored cross-site scripting
vulnerability. The vulnerability can allow an authenticated remote
attacker to display HTML or execute script in the context of another
All Server Environments where CA Identity Governance can be deployed.
Please refer to the Platform Support Matrix in the product
documentation at https//docops.ca.com
CA Identity Governance 12.6
Note: CA Identity Governance (formerly GovernanceMinder) releases
prior to 12.6 are no longer supported
CA Identity Governance 14.0, 14.1
How to determine if the installation is affected
Use the web interface to determine the version and check the version
against the affected products list.
CA Identity Governance 12.6.5:
Update to CA Identity Governance 12.6.5 CR1 CP3 - RS98844
CA Identity Governance releases previous to 12.6.5:
Open a support ticket to request a hotfix
CVE-2017-9394 - CA Identity Governance stored XSS
CVE-2017-9394 - Jake Miller of Blue Canopy - A Jacobs company
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please
report your findings to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
Vulnerability Response Director
CA Technologies Product Vulnerability Response
Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop
-----END PGP SIGNATURE-----
CA Identity Governance CVE-2017-9394 HTML Injection Vulnerability
Ca Identity Governance 12.6 ,Ca Identity Governance 12.6.5
Ca Identity Governance 12.6.5
CA Identity Governance is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CA Identity Governance 12.6 is vulnerable; other versions may also be affected.
An attacker can exploit this issue using a web browser.
Updates are available. Please see the references or vendor advisory for more information.