Change Download Preference

Current Preference
Change Preference to:

CA20110510-01: Security Notice for CA eHealth

Issued: May 10, 2011

CA Technologies support is alerting customers to a security risk with CA eHealth. A vulnerability exists that may potentially allow an attacker to compromise web user security.

The vulnerability, CVE-2011-1899, occurs due to insufficient validation of sent request parameters. An attacker, who can convince a user to follow a carefully constructed link or view a malicious web page, can conduct various cross-site scripting attacks.

Note: The "Scan user input for potentially malicious HTML content" configuration option does not protect against this vulnerability.

Risk Rating




Affected Products

CA eHealth 6.0.x
CA eHealth 6.1.x
CA eHealth 6.2.1
CA eHealth 6.2.2

How to determine if the installation is affected

Locate the following file on the respective platform:

Platform File Path
Windows "%NH_HOME%extensionslocal42339.log"
Unix "$NH_HOME/extensions/local/42339.log"

If the file is not present, the installation is vulnerable.


Customers may contact CA Technologies support to obtain a patch that resolves this issue. Request the patch for PRD 42339 when submitting the support ticket.


CVE-2011-1899 - eHealth cross-site scripting


CVE-2011-1899 - Tony Fogarty

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.