CVE-2018-6590

Vulnerability

CA API Developer Portal versions 4.0, 4.1, and 4.2.x prior to 4.2.5.3 and 4.2.7.1 contain a reflected cross-site scripting (XSS) vulnerability [1]. The issue exists within the web user interface and is caused by insufficient parameter filtering, allowing an attacker to inject arbitrary script [1].

Exploitation

A remote attacker can exploit this vulnerability by crafting a malicious URL or request containing a script payload in an unsanitized parameter [1]. The attacker must trick a user into clicking or accessing the crafted link, which causes the injected script to execute within the victim's browser context [1]. No authentication is required for the attacker to deliver the payload, though user interaction (clicking a link) is necessary [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [1]. This can lead to unauthorized actions such as session hijacking, credential theft, or defacement of the portal interface. The impact is rated as Medium severity by CA [1].

Mitigation

CA has released updates to address the vulnerability. Customers on affected versions (v4.0, v4.1, v4.2.x) should upgrade to CA API Developer Portal v4.2.5.3 or v4.2.7.1 (or later) [1]. No workarounds are provided in the advisory [1]. Version 3.5 is listed as unaffected [1].