|
|
>> CA Unicenter Asset Management Console Multiple Vulnerabilities
|
Title : CA Unicenter Asset Management Console Multiple Vulnerabilities
VUPEN ID : VUPEN/ADV-2005-0220
CVE ID : GENERIC-MAP-NOMATCH
CWE ID : CWE-
Rated as : Moderate Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-03-02
|
Several vulnerabilities were identified in CA Unicenter Asset Management, which may be exploited by attackers to conduct HTML and SQL injection attacks.
- The first flaw is due to an insecure GUI initialization with SQL user password. A user with access to the Admin Console can view the SQL Admin password as asterisks (*) in the "Change Credentials for Database" window, which may be exploited to retrieve the SQL Admin password and could lead to Admin access on the CAAMDB to unauthorised users.
- The second vulnerability is due to a Cross Site Scripting error in the Reporter, which may be exploited by a user with write privileges to inject HTML script into a report template's name or its decription.
- The third flaw is due to an SQL Injection error when importing queries in the Query Designer, which may be exploited by users to execute arbitrary commands using semicolon ";" characters.
Affected Products
CA Unicenter Asset Management (UAM) version 4.0 (Windows)
Solution
APAR Qo64323
References
http://www.vupen.com/english/advisories/2005/0220
http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO64323&os=NT
Credits
Vulnerability reported by CA
ChangeLog
2005-03-02 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
