CVE-2018-6588
CVSS4.3
发布时间 :2018-03-29 09:29:00
修订时间 :2018-04-18 09:49:07
NMP    

[原文]CA API Developer Portal 3.5 up to and including 3.5 CR5 has a reflected cross-site scripting vulnerability related to the apiExplorer.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]

- CPE (受影响的平台与产品)

cpe:/a:ca:api_developer_portal:3.5
cpe:/a:ca:api_developer_portal:3.5:cr1
cpe:/a:ca:api_developer_portal:3.5:cr2
cpe:/a:ca:api_developer_portal:3.5:cr3
cpe:/a:ca:api_developer_portal:3.5:cr4
cpe:/a:ca:api_developer_portal:3.5:cr5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6588
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6588
(官方数据源) NVD

- 其它链接及资源

http://www.securitytracker.com/id/1040603
(VENDOR_ADVISORY)  SECTRACK  1040603
https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180328-01--security-notice-for-ca-api-developer-portal.html
(VENDOR_ADVISORY)  CONFIRM  https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180328-01--security-notice-for-ca-api-developer-portal.html

- 漏洞信息 (F146952)

CA API Developer Portal Cross Site Scripting (PacketStormID:F146952)
2018-03-29 00:00:00
Kevin Kotas,Alphan Yavas  www3.ca.com
advisory,remote,vulnerability,xss
CVE-2018-6586,CVE-2018-6587,CVE-2018-6588
[点击下载]

CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist that can allow a remote attacker to conduct cross-site scripting attacks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20180328-01: Security Notice for CA API Developer Portal

Issued: March 28, 2018
Last Updated: March 28, 2018

CA Technologies Support is alerting customers to multiple potential
risks with CA API Developer Portal. Multiple vulnerabilities exist
that can allow a remote attacker to conduct cross-site scripting
attacks.

The first vulnerability, CVE-2018-6586, has a medium risk rating
and concerns profile picture management which can allow a remote
attacker to conduct stored cross-site scripting attacks (CWE-79).

The second vulnerability, CVE-2018-6587, has a medium risk rating
and concerns the widgetID variable, which can allow a remote attacker
to conduct reflected cross-site scripting attacks (CWE-79).

The third vulnerability, CVE-2018-6588, has a medium risk rating and
concerns how the apiExplorer handles requests, which can allow a
remote attacker to conduct reflected cross-site scripting attacks
(CWE-79).

Risk Rating

CVE Identifier
Risk Rating

CVE-2018-6586
Medium

CVE-2018-6587
Medium

CVE-2018-6588
Medium

Platform(s)

All supported platforms

Affected Products

CVE Identifier
Affected Product and Releases

CVE-2018-6586
CA API Developer Portal 3.5 GA through and including CR6

CVE-2018-6587
CA API Developer Portal 3.5 GA through and including CR6

CVE-2018-6588
CA API Developer Portal 3.5 GA through and including CR5

*CA API Developer Portal was formerly called CA Layer 7 API Portal

Unaffected Products

CA API Developer Portal 4 and newer releases

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find
the product version and then use the table in the Affected Products
section to determine if the installation is vulnerable.

Solution

CA Technologies published the following solution to address the
vulnerabilities.

CA API Developer Portal 3.5:
Update to CA API Developer Portal 3.5 CR7 to address all
vulnerabilities in this security notice.

References

CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS

Acknowledgement

CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas of Biznet
Bilisim A.S.

Change History

Version 1.0: Initial Release

Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
send a report to CA Technologies Product Vulnerability Response 
at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response

Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsFVAwUBWrvd68Mr2sgsME5lAQrachAAp0ZZkIUet++ujK83vtp4E7wIwNTv+Tmu
5pKj97hEO6UzPsZdHVYGs/dI1XNJ2O8b7TAObaPQgE44W6PbwjTkA5ZieoCVBAhX
cA4+M4lnwW6jqLjQlCZwHf0G5v+ioPkfVgesEYkYhMEhgZTwDioJNgvu15wbSz8i
gqsiynUoOHENpa7L/m5fHny+7sav1056Iq1ZxEuJJjWEYUhHKbgRpDCpgh0YuZkZ
c7KdJ3qN0TcR9yJQjaAodpAvVW/ukWXpTOho7lc547gI49dOpOrZbvO30c0VdTgq
Qivzm/ID1d+I0PNiwYjz9Xn5rQKvm3SVHRpVOjWVuIYEe+AoZIyCCk11Q6tKmfn1
eDjI/HwOyCuk03G/QhwCTOMWJmCdM+iLJcsSYwB/59JEDX6Y1ERrQ5nmXimO5dH8
KCmeeyfdnJnSujsiZ4nWKkBcT07jAp5EIlI570AoMu1FlxOTBndI20BdauIjCUGh
2oMCGvYjP5C16Wuq5Gn7socxdaHUuoUz1opr5aB/dwCsybKMBeEl1Lac16i6SyBM
F2zOczLezRCzmZgQCGpeyx6GL+UIT7J2XcwaZPWJXZwmjzzzzp0+CrlHzmCjKJi+
nQTfdztfUpUb5448SHFXV1J30oY6gytKhM98l4qd2GZYQWwmPJn0yDhShzdgzC6r
qmUPpbvXFXo=
=to4L
-----END PGP SIGNATURE-----
    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站