Vulnerability CVE-2014-1219


Published: 2014-02-14

Description:
CA 2E Web Option r8.1.2 accepts a predictable substring of a W2E_SSNID session token in place of the entire token, which allows remote attackers to hijack sessions by changing characters at the end of this substring, as demonstrated by terminating a session via a modified SSNID parameter to web2edoc/close.htm.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
CA 2E Web Option Unauthenticated Privilege Escalation
Mike Emery
13.02.2014

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
CA -> 2e web option 

 References:
http://www.securityfocus.com/bid/65537
http://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/

Copyright 2024, cxsecurity.com

 

Back to Top