CVE-2018-6587

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in CA API Developer Portal versions 3.5 GA through 3.5 CR6. The flaw is located in handling of the widgetID variable [1]. An attacker can inject arbitrary script code via a crafted request, which is then reflected back to the user without proper sanitization.

Exploitation

The attacker does not require authentication and can deliver the malicious payload via a crafted URL. If the victim visits the crafted link while being authenticated to the portal, the injected script executes in the context of the user's session. No user interaction beyond clicking the link is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the affected portal. This can lead to session hijacking, defacement, or redirection to malicious sites. The risk rating assigned to this vulnerability is Medium [1].

Mitigation

The vendor (CA Technologies, now Broadcom) released CA API Developer Portal 3.5 CR7, which addresses this vulnerability. Customers are advised to upgrade to version 3.5 CR7 or later. Portal version 4 and newer are not affected [1]. No workaround was provided in the available references.