A vulnerability, which was classified as critical, was found in CA API Developer Portal up to 4.3.1 (Automation Software). This affects an unknown functionality of the component loginRedirect Page. The manipulation with an unknown input leads to a redirect vulnerability. CWE is classifying the issue as CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

CA API Developer Portal 4.3.1 and earlier handles loginRedirect page redirects in an insecure manner, which allows attackers to perform open redirect attacks.

The weakness was disclosed 04/15/2020. This vulnerability is uniquely identified as CVE-2020-11665 since 04/09/2020. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 04/16/2020). MITRE ATT&CK project uses the attack technique T1204.001 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries VDB-153778, VDB-153776, VDB-153775 and VDB-153774 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Automation Software

Vendor

• CA

Name

• API Developer Portal

Version

• 4.3.0
• 4.3.1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion