CVE-2018-6586

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the profile picture processing functionality of CA API Developer Portal version 3.5 up to and including CR6. An attacker can inject arbitrary script code during the profile picture upload process, which is then stored and executed when other users view the attacker's profile. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). [1]

Exploitation

The attacker must be an authenticated portal user with the ability to upload a profile picture. The attacker uploads a crafted image file containing a malicious script payload. When the victim user views the attacker's profile page, the script executes in the context of the victim's browser session. No special network position or additional user interaction beyond viewing the profile is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the attacker's profile. This can lead to session token theft, impersonation, defacement, or redirection to malicious sites. The CVSS risk rating is Medium. The attacker gains no elevated privileges on the server itself, but can compromise the browser sessions of other portal users. [1]

Mitigation

CA Technologies released CA API Developer Portal 3.5 CR7 to address this vulnerability. All users of version 3.5 (GA through CR6) should upgrade to CR7 or later. As stated in the advisory, version 4.0 and newer releases are not affected. No workarounds are provided in the advisory. [1]