CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2016-9795
https://notcve.org/view.php?id=CVE-2016-9795
The casrvc program in CA Common Services, as used in CA Client Automation 12.8, 12.9, and 14.0; CA SystemEDGE 5.8.2 and 5.9; CA Systems Performance for Infrastructure Managers 12.8 and 12.9; CA Universal Job Management Agent 11.2; CA Virtual Assurance for Infrastructure Managers 12.8 and 12.9; CA Workload Automation AE 11, 11.3, 11.3.5, and 11.3.6 on AIX, HP-UX, Linux, and Solaris allows local users to modify arbitrary files and consequently gain root privileges via vectors related to insufficient validation. El programa casrvc en CA Common Services, tal como se usa en CA Client Automation 12.8, 12.9, y 14.0; CA SystemEDGE 5.8.2 y 5.9; CA Systems Performance for Infrastructure Managers 12.8 y 12.9; CA Universal Job Management Agent 11.2; CA Virtual Assurance for Infrastructure Managers 12.8 y 12.9; CA Workload Automation AE 11, 11.3, 11.3.5 y 11.3.6 en AIX, HP-UX, Linux y Solaris permite a usuarios locales modificar archivos arbitrarios y consecuentemente obtener privilegios de root a través de vectores relacionados con validación insuficiente. • http://www.securityfocus.com/archive/1/540062/100/0/threaded http://www.securityfocus.com/bid/95819 http://www.securitytracker.com/id/1037730 https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20170126-01--security-notice-for-ca-common-services-casrvc.html • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2016-10086
https://notcve.org/view.php?id=CVE-2016-10086
RESTful web services in CA Service Desk Manager 12.9 and CA Service Desk Management 14.1 might allow remote authenticated users to read or modify task information by leveraging incorrect permissions applied to a RESTful request. Servicios web RESTful en CA Service Desk Manager 12.9 y CA Service Desk Management 14.1 podrían permitir usuarios remotos autenticados leer o modificar información de tareas aprovechando permisos incorrectos aplicados a una petición RESTful. • http://www.securityfocus.com/bid/95366 http://www.securitytracker.com/id/1037583 https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20170109-01-security-notice-for-ca-service-desk-manager.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9148
https://notcve.org/view.php?id=CVE-2016-9148
Cross-site scripting (XSS) vulnerability in CA Service Desk Manager (formerly CA Service Desk) 12.9 and 14.1 allows remote attackers to inject arbitrary web script or HTML via the QBE.EQ.REF_NUM parameter. Vulnerabilidad de XSS en CA Service Desk Manager (anteriormente CA Service Desk) 12.9 y 14.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro QBE.EQ.REF_NUM. • http://packetstormsecurity.com/files/139660/CA-Service-Desk-Manaager-12.9-14.1-Code-Execution.html http://seclists.org/fulldisclosure/2016/Nov/53 http://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-02-security-notice-for-ca-service-desk-manager.html http://www.securityfocus.com/bid/94258 http://www.securitytracker.com/id/1037262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 25%CPEs: 1EXPL: 0CVE-2016-5803 – CA Unified Infrastructure Management download_lar Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2016-5803
An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier. The Unified Infrastructure Management software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. Ha sido descubierto un problema en CA Unified Infrastructure Management Versión 8.47 y versiones anteriores. El software Unified Infrastructure Management utiliza entrada externa para construir un nombre de ruta que debería estar dentro de un directorio restringido, pero no neutraliza adecuadamente secuencias como ".." que puede resolver a una ubicación que está fuera de ese directorio. This vulnerability allows remote attackers to disclose sensitive information from vulnerable installations of CA Unified Infrastructure Management. • http://www.securityfocus.com/bid/94243 https://ics-cert.us-cert.gov/advisories/ICSA-16-315-01 https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-01-security-notice-for-ca-unified-infrastructure-mgmt.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 3%CPEs: 2EXPL: 0CVE-2016-9165 – CA Unified Infrastructure Management get_sessions Session Information Disclosure Remote Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2016-9165
The get_sessions servlet in CA Unified Infrastructure Management (formerly CA Nimsoft Monitor) before 8.5 and CA Unified Infrastructure Management Snap (formerly CA Nimsoft Monitor Snap) allows remote attackers to obtain active session ids and consequently bypass authentication or gain privileges via unspecified vectors. El servlet get_sessions en CA Unified Infrastructure Management (formerly CA Nimsoft Monitor) en versiones anteriores a 8.5 y CA Unified Infrastructure Management Snap (formerly CA Nimsoft Monitor Snap) permite a atacantes remotos tener ids sesion activa y en consecuencia evitar la autenticación o obtener privilegios a través de vectores no especificados. This vulnerability allows remote attackers to disclose session information on vulnerable installations of CA Unified Infrastructure Management. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of the get_sessions servlet. The servlet can return the session IDs for all active sessions. • http://www.securityfocus.com/bid/94257 http://www.zerodayinitiative.com/advisories/ZDI-16-606 https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-01-security-notice-for-ca-unified-infrastructure-mgmt.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •