CA20161109-02:  Security Notice for CA Service Desk Manager

Issued:  November 09, 2016

CA Technologies Support is alerting customers to a vulnerability in CA Service Desk Manager (formerly CA Service Desk).  A reflected cross site scripting vulnerability, CVE-2016-9148, exists in the QBE.EQ.REF_NUM parameter of the SDM web interface.  A remote attacker, who can trick a user into clicking on or visiting a specially crafted link, could potentially execute arbitrary code on the targeted user’s system.  CA Technologies has assigned a Medium risk rating to this vulnerability.  A solution is available.

Risk Rating

Medium

Platform(s)

All

Affected Products

CA Service Desk Manager 12.9, 14.1

How to determine if the installation is affected

Check the web.cfg file for the existence of the solution detailed in KB article TEC1774903.

Solution 

Implement the solution detailed in KB article TEC1774903.

Workaround

None

References

CVE-2016-9148 – SDM QBE.EQ.REF_NUM Reflected XSS Vulnerability

Acknowledgement

CVE-2016-9148 – Jerold Hoong

Change History

Version 1.0:  Initial Release, 2016-11-09

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com.

CA Technologies Product Vulnerability Response Team PGP Key

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing