Vulnerability Name:

CVE-2019-6504 (CCN-156122)

Assigned:2019-01-24
Published:2019-01-24
Updated:2021-04-07
Summary:Insufficient output sanitization in the Automic Web Interface (AWI), in CA Automic Workload Automation 12.0 to 12.2, allow attackers to potentially conduct persistent cross site scripting (XSS) attacks via a crafted object.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2019-6504

Source: BID
Type: Third Party Advisory, VDB Entry
106755

Source: MISC
Type: Vendor Advisory
https://communities.ca.com/community/product-vulnerability-response/blog/2019/01/24/ca20190124-01-security-notice-for-ca-automic-workload-automation

Source: XF
Type: UNKNOWN
ca-awi-cve20196504-xss(156122)

Source: BUGTRAQ
Type: Mailing List, Third Party Advisory
20190128 Fwd: CA20190124-01: Security Notice for CA Automic Workload Automation

Source: MISC
Type: Third Party Advisory, VDB Entry
https://packetstormsecurity.com/files/151325/CA-Automic-Workload-Automation-12.x-Cross-Site-Scripting.html

Source: CCN
Type: Packet Storm Security [01-24-2019]
CA AWI 12.0 / 12.1 / 12.2 Cross Site Scripting

Source: MISC
Type: Third Party Advisory
https://sec-consult.com/en/blog/advisories/cross-site-scripting-in-ca-automic-workload-automation-web-interface-formerly-automic-automation-engine/

Source: CCN
Type: Full-Disclosure Mailing List, Thu, 24 Jan 2019 23:57:28 +0100
SEC Consult SA-20190124-0 Cross-site scripting in CA Automic Workload Automation Web Interface (AWI)

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20190124 CA20190124-01: Security Notice for CA Automic Workload Automation

Source: CCN
Type: CA20190124-01
Security Notice for CA Automic Workload Automation

Source: MISC
Type: Vendor Advisory
https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190124-01-security-notice-for-ca-automic-workload-automation.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:broadcom:automic_workload_automation:*:*:*:*:*:*:*:* (Version >= 12.0 and <= 12.2)

    • * Denotes that component is vulnerable
    BACK
    broadcom automic workload automation *