CVE-2020-11664

Vulnerability

CVE-2020-11664 is an open redirect vulnerability in the CA API Developer Portal, affecting versions 4.3.1 and earlier. The vulnerability exists in the homeRedirect page, where redirect handling is performed in an insecure manner. This allows an attacker to craft a URL that, when visited by a user, redirects them to an arbitrary external domain controlled by the attacker. The affected software is the CA API Developer Portal, a product for managing API access and developer portals [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link that includes a manipulated homeRedirect parameter pointing to an attacker-controlled external site. The attacker does not require authentication or any special privileges to carry out the attack. The victim must click on the crafted link, which could be delivered via email, social engineering, or other means. Once clicked, the browser is redirected to the external site without validation [1].

Impact

Successful exploitation allows an attacker to perform an open redirect attack, potentially leading to phishing or other social engineering attacks. The victim may be tricked into entering credentials or other sensitive information on a spoofed login page hosted on the attacker's site. The impact is limited to a low severity rating, as the attacker does not gain direct access to the portal or data, but rather uses the redirect for further deception [1].

Mitigation

Broadcom published security solutions to address this vulnerability. The advisory recommends that all affected customers apply the updates provided. The specific fixed version is not disclosed in the available references, but it is likely included in a later release of CA API Developer Portal. Users should upgrade to the latest version available from the Broadcom support portal. No workarounds are mentioned [1].