CVE-2021-28247

Name of the Vulnerable Software and Affected Versions: CA eHealth Performance Manager versions 6.3.2.12 and earlier

Description: The issue allows an authenticated remote user to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data, performing a Reflected Cross-Site Scripting attack against platform users. The affected endpoints are: "cgi/nhWeb" with the parameter report, "aviewbin/filtermibobjects.pl" with the parameter namefilter, and "aviewbin/query.pl" with the parameters System, SystemText, Group, and GroupText. This issue only affects products that are no longer supported by the maintainer.

Recommendations: For CA eHealth Performance Manager versions 6.3.2.12 and earlier, consider disabling access to the affected endpoints "cgi/nhWeb", "aviewbin/filtermibobjects.pl", and "aviewbin/query.pl" as a temporary workaround to minimize the risk of exploitation. Restrict the use of parameters report, namefilter, System, SystemText, Group, and GroupText in these endpoints until a resolution is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.