VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 24, 2010· Updated Apr 29, 2026

CVE-2010-0640

CVE-2010-0640

Description

Cross-site scripting (XSS) vulnerability in CA eHealth Performance Manager 6.0.x through 6.2.x, when malicious HTML detection is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CA eHealth Performance Manager 6.0.x through 6.2.x is vulnerable to stored XSS when malicious HTML detection is disabled, allowing remote attackers to inject arbitrary script via crafted requests.

Vulnerability

CVE-2010-0640 is a cross-site scripting (XSS) vulnerability in CA eHealth Performance Manager versions 6.0.x through 6.2.x [1]. The flaw resides in insufficient validation of certain characters in web interface requests, and is only exploitable when the configuration setting "Scan user input for potentially malicious HTML content" is disabled [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing arbitrary web script or HTML and convincing an unsuspecting user to follow that URL [1]. No authentication is required because the attack relies on social engineering to trigger the XSS.

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the context of the affected web interface, potentially leading to disclosure of sensitive information or execution of actions on behalf of the victim user [1].

Mitigation

To remediate the vulnerability, enable the "Scan user input for potentially malicious HTML content" setting in the eHealth Web Interface configuration [1]. This is done by logging in as Admin, navigating to the "Administration" tab, selecting "Site Configuration", changing the option from "No" to "Yes", and saving [1].

References
  1. Security Notice for CA eHealth Performance Manager

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Ca/Ehealth Performance Manager4 versions
    cpe:2.3:a:ca:ehealth_performance_manager:6.0:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:ca:ehealth_performance_manager:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ca:ehealth_performance_manager:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ca:ehealth_performance_manager:6.2:*:*:*:*:*:*:*
    • (no CPE)range: 6.0.x - 6.2.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.