CVE-2018-9027

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in CA Privileged Access Manager 2.x due to insufficient input validation in multiple scripts [1]. The vulnerability allows a remote attacker to inject arbitrary JavaScript into the application's response via a specially crafted URL. The affected versions are all releases of CA Privileged Access Manager 2.x.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing the XSS payload and convincing a victim to click it. No authentication is required, but the victim must be using the application while logged in to potentially leverage the attacker's session. The attack is executed in the context of the victim's session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session theft, credential harvesting, or other client-side attacks. The impact is limited by the browser's same-origin policy but can be significant if the victim has elevated privileges in the application.

Mitigation

CA Technologies released a security notice on June 14, 2018, addressing this vulnerability [1]. Customers should apply the provided security update or upgrade to a fixed version as detailed in the notice. No workarounds are documented.