Headline
CVE-2018-6588: Support Content Notification - Support Portal - Broadcom support portal
CA API Developer Portal 3.5 up to and including 3.5 CR5 has a reflected cross-site scripting vulnerability related to the apiExplorer.
CA20180328-01: Security Notice for CA API Developer Portal
Issued: March 28, 2018
Last Updated: March 28, 2018
CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist that can allow a remote attacker to conduct cross-site scripting attacks.
The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns profile picture management which can allow a remote attacker to conduct stored cross-site scripting attacks (CWE-79).
The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns the widgetID variable, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).
The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns how the apiExplorer handles requests, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).
Risk Rating
CVE Identifier
Risk Rating
CVE-2018-6586
Medium
CVE-2018-6587
Medium
CVE-2018-6588
Medium
Platform(s)
All supported platforms
Affected Products
CVE Identifier
Affected Product and Releases
CVE-2018-6586
CA API Developer Portal 3.5 GA through and including CR6
CVE-2018-6587
CA API Developer Portal 3.5 GA through and including CR6
CVE-2018-6588
CA API Developer Portal 3.5 GA through and including CR5
*CA API Developer Portal was formerly called CA Layer 7 API Portal
Unaffected Products
CA API Developer Portal 4 and newer releases
How to determine if the installation is affected
Customers may use the CA API Developer Portal web interface to find the product version and then use the table in the Affected Products section to determine if the installation is vulnerable.
Solution
CA Technologies published the following solution to address the vulnerabilities.
CA API Developer Portal 3.5:
Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in this security notice.
CA API Management Solutions & Patches
References
CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS
Acknowledgement
CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas from Biznet Bilisim A.S.
Change History
Version 1.0: 2018-03-28 - Initial Release
CA will send a notification about this security notice to customers who are subscribed to CA Technologies’ Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in a CA Technologies product, please send a report to the CA Technologies Product Vulnerability Response Team.
CA Technologies security notices