CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14802 – Unvalidated Redirect in NetIQ Access Manager after upgrading to NAM 4.3 AC and IDP URLs
https://notcve.org/view.php?id=CVE-2017-14802
02 Mar 2018 — Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites. Los servidores Novell Access Manager Admin Console y IDP en versiones anteriores a la 4.3.3 tienen una URL que podría ser empleada por atacantes remotos para desencadenar redirecciones sin validar a sitios de terceros. • https://www.novell.com/support/kb/doc.php?id=7022360 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9276 – XSS Vulnerability in iManager
https://notcve.org/view.php?id=CVE-2017-9276
02 Mar 2018 — Novell Access Manager iManager before 4.3.3 did not validate parameters so that cross site scripting content could be reflected back into the result page using the "a" parameter. Novell Access Manager iManager, en versiones anteriores a la 4.3.3, no validaba parámetros, por lo que el contenido de Cross-Site Scripting (XSS) podía reflejarse de nuevo en la página de resultados mediante un parámetro "a". • https://www.novell.com/support/kb/doc.php?id=7022359 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14799 – XSS Vulnerability with ESP URL
https://notcve.org/view.php?id=CVE-2017-14799
01 Mar 2018 — A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page. Un ataque de Cross-Site Scripting (XSS) en la gestión del parámetro ESP login en NetIQ Access Manager, en versiones anteriores a la 4.3.3, podría emplearse para inyectar código JavaScript en la página de inicio de sesión. • https://www.novell.com/support/kb/doc.php?id=7022358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14800 – Reflected xss on Access Manager iManager UI
https://notcve.org/view.php?id=CVE-2017-14800
01 Mar 2018 — A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users. Un ataque de Cross-Site Scripting (XSS) reflejado en NetIQ Access Manager, en versiones anteriores a la 4.3.3, al emplear el parámetro "typecontainerid" del editor de políticas, podría permitir la inyección de código en páginas de usuarios autenticados. • https://www.novell.com/support/kb/doc.php?id=7022356 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-5190
https://notcve.org/view.php?id=CVE-2017-5190
20 Apr 2017 — NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile. NetIQ Access Manager 4.2 en versiones anteriores a SP3 HF1 y 4.3 en versiones anteriores a SP1 HF1 cuando está configurado como un SAML 2.0 Identity Server con Virtual Attributes, tiene un problema de concurrencia causando la fuga de información, relacionado con un perfil obsoleto. • http://www.securityfocus.com/bid/97965 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 10%CPEs: 3EXPL: 0CVE-2010-0284 – Novell Access Manager Arbitrary File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0284
18 Jun 2010 — Directory traversal vulnerability in the getEntry method in the PortalModuleInstallManager component in a servlet in nps.jar in the Administration Console (aka Access Management Console) in Novell Access Manager 3.1 before 3.1.2-281 on Windows allows remote attackers to create arbitrary files with any contents, and consequently execute arbitrary code, via a .. (dot dot) in a parameter, aka ZDI-CAN-678. Vulnerabilidad de salto de directorio en el método getEntry en el componente PortalModuleInstallManager en... • http://secunia.com/advisories/40198 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2009-4878
https://notcve.org/view.php?id=CVE-2009-4878
26 May 2010 — Unspecified vulnerability in the Administration Console in Novell Access Manager before 3.1 SP1 allows attackers to access system files via unknown attack vectors. Vulnerabilidad no especificada en la Consola de Administración en Novell Access Manager anterior v3.1 SP1 permite a atacantes acceder al sistema de ficheros a través de vectores de ataque desconocidos. • http://secunia.com/advisories/35898 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2009-4879
https://notcve.org/view.php?id=CVE-2009-4879
26 May 2010 — The Identity Server in Novell Access Manager before 3.1 SP1 allows attackers with disabled Active Directory accounts to authenticate using X.509 authentication, which bypasses intended access restrictions. El servidor de identidades en Novell Access Manager anterior v3.1 SP1 permite a atacantes con cuenta Active Directory desactivada, autenticarse usando autenticación X.509, que elude las restricciones establecidas • http://www.novell.com/documentation/novellaccessmanager31/accessmanager_readme/data/accessmanager_readme.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 5%CPEs: 252EXPL: 0CVE-2004-0079
https://notcve.org/view.php?id=CVE-2004-0079
18 Mar 2004 — The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. La función do_change_cipher_spec en OpenSSL 0.9.6c hasta 0.9.6.k y 0.9.7a hasta 0.9.7c permite que atacantes remotos provoquen una denegación de servicio (caída) mediante una hábil unión SSL/TLS que provoca un puntero nulo. • ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 3%CPEs: 252EXPL: 0CVE-2004-0081
https://notcve.org/view.php?id=CVE-2004-0081
18 Mar 2004 — OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. OpenSSL 0.9.6 anteriores a la 0.9.6d no manejan adecuadamente los tipos de mensajes desconocidos, lo que permite a atacantes remotos causar una denegación de servicios (por bucle infinito), como se demuestra utilizando la herramienta de testeo Codenomicon TLS. • ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10/SCOSA-2004.10.txt •