PT-2011-3267 · Ca · Ca Total Defense

Andrea Micalizzi

Published

2011-04-13

Updated

2021-04-12

CVE-2011-1653

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions CA Total Defense versions prior to r12 SE2

Description The issue involves multiple SQL injection vulnerabilities in the Unified Network Control (UNC) Server. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via various vectors, including the UnAssignFunctionalRoles, UnassignAdminRoles, DeleteFilter, NonAssignedUserList, DeleteReportLayout, DeleteReports, and RegenerateReport stored procedures.

Recommendations For versions prior to r12 SE2, update to r12 SE2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable stored procedures until a patch is available. Avoid using the vulnerable stored procedures in the UNC Management Console until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2011-1653

ZDI-11-128

ZDI-11-129

ZDI-11-130

ZDI-11-131

ZDI-11-132

ZDI-11-133

ZDI-11-134

Affected Products

Ca Total Defense

PT-2011-3267 · Ca · Ca Total Defense

CVE-2011-1653

Weakness Enumeration

Related Identifiers

Affected Products

References · 32