{"vuid":"VU#343060","idnumber":"343060","name":"CA LISA Release Automation contains multiple vulnerabilities","keywords":["ca","lisa","cve-2014-8246","cve-2014-8247","cve-2014-8248","xss","csrf","sql injection"],"overview":"CA LISA Release Automation 4.7.1.385 contains multiple vulnerabilities","clean_desc":"CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246 CA LISA Release Automation 4.7.1.385 contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-8247 CA Release Automation 4.7.1.385 contains a global cross-site scripting (XSS) vulnerability in the server exception message. CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2014-8248 CA Release Automation 4.7.1.385 contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user. Note: the CVSS score reflects CVE-2014-8246","impact":"A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user.","resolution":"Apply an Update\nCA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA's security notice for more details.","workarounds":"","sysaffected":"","thanks":"Thanks to Julian Horoszkiewicz and\n Lukasz Plonka for reporting these vulnerabilities.","author":"This document was written by Chris King.","public":["http://support.itko.com/","http://www.ca.com/us/devcenter/ca-service-virtualization.aspx"],"cveids":["CVE-2014-8246","CVE-2014-8247","CVE-2014-8248"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-09-18T17:04:20Z","publicdate":"2014-12-15T00:00:00Z","datefirstpublished":"2014-12-15T20:54:07Z","dateupdated":"2014-12-17T15:41:50Z","revision":24,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.8","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","cvss_temporalscore":"6.1","cvss_environmentalscore":"1.53502557586875","cvss_environmentalvector":"CDP:N/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}