CVE-2018-6588

Vulnerability

The CA API Developer Portal versions 3.5 GA through 3.5 CR5 include a reflected cross-site scripting (XSS) vulnerability in the apiExplorer component [1]. The bug is due to insufficient input validation or output encoding when handling requests to the apiExplorer, allowing an attacker to inject arbitrary JavaScript code into a response page [1]. This affects portal installations on all supported platforms [1].

Exploitation

An attacker can trigger the reflected XSS by crafting a malicious link that includes JavaScript payload in the request to the apiExplorer [1]. The target does not need authentication; the attacker only needs to trick a logged-in user into clicking the specially crafted link (e.g., via phishing email or social engineering) [1]. No special network position or user interaction beyond clicking the link is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session within the same domain [1]. This can lead to session hijacking, credential theft, defacement, or other actions that the victim's user account can perform [1]. The attack has medium risk severity according to the vendor [1].

Mitigation

The vendor released CA API Developer Portal 3.5 CR7 to fix this vulnerability [1]. Users should upgrade to 3.5 CR7 or later; version 4.0 and newer are not affected [1]. No workaround is specified in the advisory [1]. If upgrading is not immediately possible, restrict access to the portal from untrusted networks and educate users about XSS risks [1].