CA Identity Governance is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CA Identity Governance 12.6 is vulnerable; other versions may also be affected.
Information
Bugtraq ID: 101849Class: Input Validation Error
CVE: CVE-2017-9394
Remote: Yes
Local: No
Published: Nov 15 2017 12:00AM
Updated: Nov 15 2017 12:00AM
Credit: Jake Miller of Blue Canopy.
Vulnerable: Ca Identity Governance 12.6
Not Vulnerable: Ca Identity Governance 12.6.5
Exploit
An attacker can exploit this issue using a web browser.
References:
- CA Homepage (CA Technologies)
- CA20171114-01: Security Notice for CA Identity Governance (CA)
