CVE-2022-26088

Name of the Vulnerable Software and Affected Versions BMC Remedy versions prior to 22.1

Description An issue was discovered in BMC Remedy where Email-based Incident Forwarding allows remote authenticated users to inject HTML, such as an SSRF payload, into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. The vendor's position is that no real impact is demonstrated.

Recommendations For versions prior to 22.1, update to version 22.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Email-based Incident Forwarding feature until a patch is available. Avoid using the To: field in the Activity Log to minimize the risk of exploitation.