Issued: August 02, 2018
Last Updated: August 02, 2018

CA Technologies Support is alerting customers to a potential risk with CA API Developer Portal. A medium risk vulnerability exists that can allow a remote attacker to conduct reflected cross-site scripting attacks. CA published solutions to address the vulnerability.

The vulnerability, CVE-2018-6590, occurs due to insufficient parameter filtering in the web user interface, which can allow a remote attacker to launch reflected cross-site scripting attacks.

Risk Rating

Medium

Platform(s)

All supported platforms

Affected Products

CA API Developer Portal v4.0
CA API Developer Portal v4.1
CA API Developer Portal v4.2.x

Unaffected Products

CA API Developer Portal v4.2.5.3 and later releases
CA API Developer Portal v4.2.7.1 and later releases
CA API Developer Portal v3.5

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find the product version and review the information in the Affected and Unaffected Products sections to determine if the installation is vulnerable.

Solution

CA Technologies published the following solutions to address the vulnerability.

CA API Developer Portal v4.0, v4.1, v4.2.x:
Customers should update to CA API Developer Portal v4.2.5.3, or v4.2.7.1, or a later release
CA API Developer product page

References

CVE-2018-6590 - CA API Developer Portal XSS

Acknowledgement

CVE-2018-6590 - Joe Schottman

Change History

Version 1.0: Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.