what you don't know can hurt you

CA Automic Workload Automation 12.x Cross Site Scripting

CA Automic Workload Automation 12.x Cross Site Scripting
Posted Jan 24, 2019
Authored by Ken Williams, Marc Nimmerrichte | Site www3.ca.com

CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. The vulnerability has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. Versions 12.0, 12.1 and 12.2 are affected.

tags | advisory, web, xss
advisories | CVE-2019-6504
MD5 | 7a2927d39fb28bb1d5fe04e9edcc54d3

CA Automic Workload Automation 12.x Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190124-01: Security Notice for CA Automic Workload Automation

Issued: January 24, 2019
Last Updated: January 24, 2019

CA Technologies Support is alerting customers to a potential risk with
CA Automic Workload Automation Automic Web Interface (AWI). A
vulnerability exists that can allow an attacker to potentially conduct
persistent cross site scripting (XSS) attacks.

The vulnerability, CVE-2019-6504, has a medium risk rating and
concerns insufficient output sanitization, which can allow an attacker
to potentially conduct persistent cross site scripting (XSS) attacks.


Risk Rating

Medium


Platform(s)

All supported platforms


Affected Products

CA Automic Workload Automation 12.0
CA Automic Workload Automation 12.1
CA Automic Workload Automation 12.2


Unaffected Products

CA Automic Workload Automation 12.0 with Automic.Web.Interface
12.0.6 HF2

CA Automic Workload Automation 12.1 with Automic.Web.Interface
12.1.3 HF3

CA Automic Workload Automation 12.2 with Automic.Web.Interface
12.2.1 HF1


How to determine if the installation is affected

The version number is visible in the About section of AWI. Check the
About window after login to AWI to determine the current installed
version.


Solution

CA Technologies published the following solutions to address the
vulnerabilities.

CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2

CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3

CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1

The fixes can be found at https://downloads.automic.com/


References

CVE-2019-6504 - CA Automic Workload Automation Persistent XSS
vulnerability


Acknowledgement

CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab


Change History

Version 1.0: 2019-01-24 - Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,
Ken Williams
Vulnerability Response Director, Enterprise Software R&D
CA Technologies, A Broadcom Company | ca.com | broadcom.com


Copyright (c) 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All other trademarks, trade
names, service marks, and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBXEpaSblJjor7ahBNAQh8eBAAjEuXp96eWVTv+bmSGBUi8qE/ql0m366n
ApEqok1M0uNiwAte+MpZCfe1QBXzEMlxI3rRzwoU/2AgN6td1Ot2onF3ZSu41xZZ
T5Vl8YUgD+H+1aG+lPb2PtqGAkKiiq9/0v7Usa3j2Q0hFcOuzFizUrFwL0zisQqQ
3Yqxe0Z524bxsYOoq3tM6u40hJepA/xrRVehLDXZBEUPoebZ3GjRSgAtcrm1umlQ
i4i35xXJ5bO4un0AdBITl9pbYFRsWsT/UmC3SWuqrRNEfPifig0+N0mQFr3HYss8
7P/t9unyX45K8lK8x88zZVLoEpN4hZSi5ClH3KP7ZaSmWlgQXLP7Llw/DAy8oOPc
xl8QPkhgNusrBgvUb2LtOoIzD89V+bz2tHYpJ0jpYjXRAjTvfmWCpq96+Kv9qj2/
CGjUHSxrLOvKhg+p3UHerAFYpIa0R4qajoN6D/w69fqaD+8Yzq82oK73M9dcXjPG
oiT5V+nC9eWufjpugrJL3ZfaXGz9guLzKrI1IToKNj9iv35umVkSNil3zE5N7nuz
UQtqxEBjD/P54KM8fULbtl+4MbWUB7eDq4jeCvD8Ipe3smJ32VfDzMhco4IYxxVS
yQt7+lMzNYi/yYazREJzdNbsRw8oCtYJUeYeZtGw1QeUK84TP3dobwqZHte+MonN
nJwOOIH2Kpg=
=90ur
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close