CVE-2021-28250
https://notcve.org/view.php?id=CVE-2021-28250
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una Escalada de Privilegios por medio de un archivo setuid (y/o setgid). Cuando un componente es ejecutado como argumento del ejecutable runpicEhealth, el código del script se ejecutará como el usuario de ehealth. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no son compatibles por el mantenedor. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-269: Improper Privilege Management •
CVE-2021-28249
https://notcve.org/view.php?id=CVE-2021-28249
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una Escalada de Privilegios por medio de una Dynamically Linked Shared Object Library. Para explotar la vulnerabilidad, el usuario de ehealth debe crear una biblioteca maliciosa en el RPATH escribible, que se vinculará dinámicamente cuando se ejecuta el ejecutable FtpCollector. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-426: Untrusted Search Path •
CVE-2021-28247
https://notcve.org/view.php?id=CVE-2021-28247
CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS). El impacto es: Un usuario remoto autenticado puede inyectar un script web o HTML arbitrario debido a un saneamiento inapropiado de los datos proporcionados por el usuario y llevar a cabo un ataque de tipo Cross-Site Scripting Reflejado contra usuarios de la plataforma. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6151
https://notcve.org/view.php?id=CVE-2016-6151
CA eHealth 6.2.x allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors. CA eHealth 6.2.x permite a usuarios remotos autenticados provocar una denegación de servicio o posiblemente ejecutar comandos arbitrarios a través de vectores no especificados. • http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.aspx http://www.securityfocus.com/bid/92107 http://www.securitytracker.com/id/1036433 •
CVE-2016-6152
https://notcve.org/view.php?id=CVE-2016-6152
CA eHealth 6.2.x and 6.3.x before 6.3.2.13 allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors. CA eHealth 6.2.x y 6.3.x en versiones anteriores a 6.3.2.13 permite a usuarios remotos autenticados provocar una denegación de servicio o posiblemente ejecutar comandos arbitrarios a través de vectores no especificados. • http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.aspx http://www.securityfocus.com/bid/92107 http://www.securitytracker.com/id/1036433 •