CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1343
https://notcve.org/view.php?id=CVE-2018-1343
PAM exposure enabling unauthenticated access to remote host La exposición de PAM permite el acceso no autenticado al host remoto. • https://www.netiq.com/documentation/privileged-account-manager-3/npam3104-release-notes/data/npam3104-release-notes.html https://www.netiq.com/documentation/privileged-account-manager-3/npam3203-release-notes/data/npam3203-release-notes.html https://www.novell.com/support/kb/doc.php?id=7022630 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7427 – iManager - Multiple Reflected Cross-Site Scripting attacks
https://notcve.org/view.php?id=CVE-2017-7427
Multiple cross site scripting attacks were found in the Identity Manager Plug-in, hosted on iManager 2.7.7.7, before Identity Manager 4.6.1. In certain scenarios it was possible to execute arbitrary JavaScript code in the context of vulnerable application, via user.Context in the Object Selector, via vdtData in the Version discovery and via nextFrame in the Object Inspector and via Host GUID in the System details plugins. Se han encontrado múltiples ataques de Cross-Site Scripting (XSS) en el plugin Identity Manager, alojado en iManager 2.7.7.7, anterior a Identity Manager 4.6.1. En ciertos escenarios, era posible ejecutar código JavaScript arbitrario en el contexto de la aplicación vulnerable mediante user.Context en Object Selector, mediante vdtData en el descubrimiento de Version y mediante nextFrame en Object Inspector y mediante Host GUID en los plugins System details. • https://bugzilla.suse.com/show_bug.cgi?id=1033828 https://www.novell.com/support/kb/doc.php?id=7021423 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7437 – Cross site scripting attacks against NetIQ Privileged Account Manager
https://notcve.org/view.php?id=CVE-2017-7437
NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cross site scripting attacks via the "type" and "account" parameters of json requests. NetIQ Privileged Account Manager, en versiones anteriores a 3.1 Patch Update 3, permitía ataques de Cross-Site Scripting (XSS) mediante los parámetros "type" y "account" de peticiones json. • https://bugzilla.suse.com/show_bug.cgi?id=1001069 https://www.netiq.com/documentation/privileged-account-manager-3/npam3103-release-notes/data/npam3103-release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9280 – Novell Identity Manager User Application get request url contains the session token.
https://notcve.org/view.php?id=CVE-2017-9280
Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar. Algunas versiones de NetIQ Identity Manager Applications anteriores a la Identity Manager 4.5.6.1 incluían el token de sesión en las URL GET. Esto podría permitir se expongan sesiones de usuario a terceros mediante proxies, url de referencia o similares. • https://bugzilla.suse.com/show_bug.cgi?id=1049143 https://download.novell.com/Download?buildid=K7lbPAGJyIk~ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9285 – Login restrictions not applied when using ebaclient against NetIQ eDirectory EBA interface
https://notcve.org/view.php?id=CVE-2017-9285
NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when "ebaclient" was used, allowing unpermitted access to eDirectory services. NetIQ eDirectory, en versiones anteriores a la 9.0 SP4, no imponía restricciones de inicio de sesión al emplear "ebaclient". Esto permitía el acceso no autorizado a los servicios de eDirectory. • https://bugzilla.suse.com/show_bug.cgi?id=1029077 https://www.netiq.com/documentation/edirectory-9/edirectory904_releasenotes/data/edirectory904_releasenotes.html https://www.novell.com/support/kb/doc.php?id=7016794 • CWE-284: Improper Access Control CWE-287: Improper Authentication •