CVE-2018-13826
CA PPM Password Storage / SQL Injection / XML Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks.
Una vulnerabilidad de XEE (XML External Entity) en la funcionalidad XOG de CA PPM 14.3 y anteriores, 14.4, 15.1, 15.2 CP5 y anteriores y 15.3 CP2 y anteriores permite que los atacantes remotos lleven a cabo ataques de Server-Side Request Forgery (SSRF).
CA Technologies Support is alerting customers to multiple potential risks with CA PPM (formerly CA Clarity PPM). Multiple vulnerabilities exist that can allow an attacker to conduct a variety of attacks. The first vulnerability has a medium risk rating and concerns an SSL password being stored in plain text, which can allow an attacker to access sensitive information. The second vulnerability has a high risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to access sensitive information. The third vulnerability has a high risk rating and concerns two parameters that fail to properly sanitize input, which can allow a remote attacker to execute SQL injection attacks. The fourth vulnerability has a high risk rating and concerns improper input validation by the gridExcelExport functionality, which can allow a remote attacker to execute reflected cross-site scripting attacks. The fifth vulnerability has a medium risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to conduct server side request forgery attacks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-07-10 CVE Reserved
- 2018-08-30 CVE Published
- 2024-09-17 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/105297 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html | 2021-04-12 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Broadcom Search vendor "Broadcom" | Project Portfolio Management Search vendor "Broadcom" for product "Project Portfolio Management" | <= 14.3 Search vendor "Broadcom" for product "Project Portfolio Management" and version " <= 14.3" | - |
Affected
| ||||||
| Broadcom Search vendor "Broadcom" | Project Portfolio Management Search vendor "Broadcom" for product "Project Portfolio Management" | 14.4 Search vendor "Broadcom" for product "Project Portfolio Management" and version "14.4" | - |
Affected
| ||||||
| Broadcom Search vendor "Broadcom" | Project Portfolio Management Search vendor "Broadcom" for product "Project Portfolio Management" | 15.1 Search vendor "Broadcom" for product "Project Portfolio Management" and version "15.1" | - |
Affected
| ||||||
| Ca Search vendor "Ca" | Project Portfolio Management Search vendor "Ca" for product "Project Portfolio Management" | 15.2 Search vendor "Ca" for product "Project Portfolio Management" and version "15.2" | cp5 |
Affected
| ||||||
| Ca Search vendor "Ca" | Project Portfolio Management Search vendor "Ca" for product "Project Portfolio Management" | 15.3 Search vendor "Ca" for product "Project Portfolio Management" and version "15.3" | cp2 |
Affected
| ||||||