Vulnerability Note VU#343060
CA LISA Release Automation contains multiple vulnerabilities
Overview
CA LISA Release Automation 4.7.1.385 contains multiple vulnerabilities
Description
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246 CA LISA Release Automation 4.7.1.385 contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user. |
Solution
Apply an Update |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
CA Technologies | Affected | 23 Oct 2014 | 17 Dec 2014 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 6.1 | E:POC/RL:U/RC:ND |
Environmental | 1.5 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Julian Horoszkiewicz and Lukasz Plonka for reporting these vulnerabilities.
This document was written by Chris King.
Other Information
- CVE IDs: CVE-2014-8246 CVE-2014-8247 CVE-2014-8248
- Date Public: 15 Dec 2014
- Date First Published: 15 Dec 2014
- Date Last Updated: 17 Dec 2014
- Document Revision: 23
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.