CVE-2018-19505

Name of the Vulnerable Software and Affected Versions BMC Remedy versions 7.1

Description The issue arises from the Remedy AR System Server in BMC Remedy, where it may fail to set the correct user context in certain impersonation scenarios. This can allow a user to act with the identity of a different user. The problem is specifically related to the userdata.js in the WOI:WorkOrderConsole component, which allows a username substitution involving a UserData Init call.

Recommendations For version 7.1, consider restricting access to the WOI:WorkOrderConsole component until a fix is available, and avoid using the UserData Init call in scenarios where user impersonation is involved.