---------------------------------------------------------------------- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l ---------------------------------------------------------------------- TITLE: CA Unicenter Asset Management Multiple Vulnerabilities SECUNIA ADVISORY ID: SA14454 VERIFY ADVISORY: http://secunia.com/advisories/14454/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information WHERE: >From local network SOFTWARE: CA Unicenter Asset Management 4.x http://secunia.com/product/1682/ DESCRIPTION: Three vulnerabilities have been reported in CA Unicenter Asset Management, which can be exploited to gain knowledge of sensitive information or conduct script insertion and SQL injection attacks. 1) Anyone with access to the Admin Console can see the masked SQL Admin password (shown as asterisks) in the "Change Credentials for Database" window. However, it is possible to unmask and disclose the password with various available tools. 2) An input validation error in the Reporter can be exploited by malicious users with write privileges to inject arbitrary HTML and script code in a report template's name and description, which will be executed in a user's browser session in context of a vulnerable site when the malicious report template is viewed. 3) An input validation error in Query Designer when importing queries can be exploited by arbitrary users to manipulate SQL queries by injecting arbitrary SQL code in an imported file. The vulnerabilities affect release 4.0 for Windows. SOLUTION: Apply APAR QO64323. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: CA: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------