PT-2019-9839 · Bmc · Bmc Remedy
Rafael Pedrero
·
Published
2019-01-03
·
Updated
2019-02-15
·
CVE-2018-19505
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
BMC Remedy versions 7.1
Description
The issue arises from the Remedy AR System Server in BMC Remedy, where it may fail to set the correct user context in certain impersonation scenarios. This can allow a user to act with the identity of a different user. The problem is specifically related to the userdata.js in the WOI:WorkOrderConsole component, which allows a username substitution involving a
UserData Init call.Recommendations
For version 7.1, consider restricting access to the WOI:WorkOrderConsole component until a fix is available, and avoid using the
UserData Init call in scenarios where user impersonation is involved.Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bmc Remedy