Issued: November 09, 2016
CA Technologies Support is alerting customers to a vulnerability in CA Service Desk Manager (formerly CA Service Desk). A reflected cross site scripting vulnerability, CVE-2016-9148, exists in the QBE.EQ.REF_NUM parameter of the SDM web interface. A remote attacker, who can trick a user into clicking on or visiting a specially crafted link, could potentially execute arbitrary code on the targeted user’s system. CA Technologies has assigned a Medium risk rating to this vulnerability. A solution is available.
CA Service Desk Manager 12.9, 14.1
How to determine if the installation is affected
Check the web.cfg file for the existence of the solution detailed in KB article TEC1774903.
Implement the solution detailed in KB article TEC1774903.
CVE-2016-9148 – SDM QBE.EQ.REF_NUM Reflected XSS Vulnerability
CVE-2016-9148 – Jerold Hoong
Version 1.0: Initial Release, 2016-11-09
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at https://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at email@example.com.