Change Download Preference

Current Preference
Change Preference to:

CA20161109-02:  Security Notice for CA Service Desk Manager

Issued:  November 09, 2016

CA Technologies Support is alerting customers to a vulnerability in CA Service Desk Manager (formerly CA Service Desk).  A reflected cross site scripting vulnerability, CVE-2016-9148, exists in the QBE.EQ.REF_NUM parameter of the SDM web interface.  A remote attacker, who can trick a user into clicking on or visiting a specially crafted link, could potentially execute arbitrary code on the targeted user’s system.  CA Technologies has assigned a Medium risk rating to this vulnerability.  A solution is available.

Risk Rating




Affected Products

CA Service Desk Manager 12.9, 14.1

How to determine if the installation is affected

Check the web.cfg file for the existence of the solution detailed in KB article TEC1774903.


Implement the solution detailed in KB article TEC1774903.




CVE-2016-9148 – SDM QBE.EQ.REF_NUM Reflected XSS Vulnerability


CVE-2016-9148 – Jerold Hoong

Change History

Version 1.0:  Initial Release, 2016-11-09

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at

CA Technologies Product Vulnerability Response Team PGP Key