Issued: November 14, 2017
Last Updated: November 14, 2017
CA Technologies support is alerting customers to a potential risk with CA Identity Governance. A vulnerability exists that can potentially allow a malicious actor to conduct cross-site scripting attacks. CA published a solution to resolve the issue.
The vulnerability, CVE-2017-9394, occurs due to insufficient input validation that can result in a stored cross-site scripting vulnerability. The vulnerability can allow an authenticated remote attacker to display HTML or execute script in the context of another user.
All Server Environments where CA Identity Governance can be deployed. Please refer to the Platform Support Matrix in the product documentation at https//docops.ca.com.
CA Identity Governance 12.6
Note: CA Identity Governance (formerly GovernanceMinder) releases prior to 12.6 are no longer supported.
CA Identity Governance 14.0, 14.1
How to determine if the installation is affected
Use the web interface to determine the version and check the version against the affected products list.
CA Identity Governance 12.6.5:
Update to CA Identity Governance 12.6.5 CR1 CP3 RS98844
CA Identity Governance releases previous to 12.6.5:
Open a support ticket to request a hotfix
CVE-2017-9394 - CA Identity Governance stored XSS
CVE-2017-9394 - Jake Miller of Blue Canopy - A Jacobs company
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.