User Impersonation Vulnerability in BMC Remedy AR System Server
CVE-2018-19505

6.5MEDIUM

Key Information:

Vendor

Bmc

Status
Remedy Action Request System Server
Vendor
CVE Published:
3 January 2019

What is CVE-2018-19505?

In BMC Remedy 7.1, a flaw in the Remedy AR System Server can lead to improper user context settings during specific impersonation scenarios. This imperfection arises from the functionality within the WOI:WorkOrderConsole component where the userdata.js allows for username substitution via the UserData_Init call. As a result, this vulnerability may enable unauthorized users to operate under the identity of legitimate users, potentially accessing sensitive information and performing unauthorized actions.

References

http://www.securitytracker.com/id/1042177
vdb-entryx_refsource_SECTRACK
http://packetstormsecurity.com/files/150492/BMC-Remedy-7....
x_refsource_MISC
http://seclists.org/fulldisclosure/2018/Nov/62
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.