CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28250
https://notcve.org/view.php?id=CVE-2021-28250
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una Escalada de Privilegios por medio de un archivo setuid (y/o setgid). Cuando un componente es ejecutado como argumento del ejecutable runpicEhealth, el código del script se ejecutará como el usuario de ehealth. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no son compatibles por el mantenedor. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28249
https://notcve.org/view.php?id=CVE-2021-28249
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una Escalada de Privilegios por medio de una Dynamically Linked Shared Object Library. Para explotar la vulnerabilidad, el usuario de ehealth debe crear una biblioteca maliciosa en el RPATH escribible, que se vinculará dinámicamente cuando se ejecuta el ejecutable FtpCollector. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-426: Untrusted Search Path •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28247
https://notcve.org/view.php?id=CVE-2021-28247
CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText. NOTE: This vulnerability only affects products that are no longer supported by the maintainer CA eHealth Performance Manager versiones hasta 6.3.2.12, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS). El impacto es: Un usuario remoto autenticado puede inyectar un script web o HTML arbitrario debido a un saneamiento inapropiado de los datos proporcionados por el usuario y llevar a cabo un ataque de tipo Cross-Site Scripting Reflejado contra usuarios de la plataforma. • https://n4nj0.github.io/advisories/ca-ehealth-performance-manager • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.6EPSS: 0%CPEs: 3EXPL: 0CVE-2010-0640
https://notcve.org/view.php?id=CVE-2010-0640
Cross-site scripting (XSS) vulnerability in CA eHealth Performance Manager 6.0.x through 6.2.x, when malicious HTML detection is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted request. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en CA eHealth Performance Manager v6.0.x a la 6.2.x, cuando la detección de código malicioso HTML está deshabilitada, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de una petición manipulada. • http://seclists.org/fulldisclosure/2010/Feb/415 http://www.securityfocus.com/archive/1/509714/100/0/threaded http://www.securityfocus.com/bid/38376 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •