CVE-2018-1342 – Novell NetIQ Access Manager FwRequest Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-1342
A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console. Existe una vulnerabilidad en Admin Console en la que un atacante puede subir archivos en el servidor de Admin Console y ejecutarlos. Esto provoca un impacto en las versiones 4.3 y 4.4 de NetIQ Access Manager, así como la consola de administración. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ Access Manager. • https://www.novell.com/support/kb/doc.php?id=7022444 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2017-14803 – Novell NetIQ Access Manager OspUIBasicSSODownload Servlet fileInfo1 Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-14803
In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server when accessing a basic SSO connector and downloading the BasicSSO connector plugins on IE11 where an attacker can execute arbitrary code on the system. En NetIQ Access Manager 4.3 y 4.4, existe un error en Identity Server al acceder a un conector SSO básico y descargar los plugins BasicSSO connector en IE11, donde un atacante puede ejecutar código arbitrario en el sistema. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Novell NetIQ Access Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloadBasicSSOServlet servlet. When parsing the fileInfo1 parameter, the process does not properly validate a user-supplied path prior to using it in file operations. • https://www.novell.com/support/kb/doc.php?id=7022443 •
CVE-2017-5191
https://notcve.org/view.php?id=CVE-2017-5191
An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 and 4.3 exists because Access Gateway Error pages do not validate the HTTP Referer header. Existe una vulnerabilidad de XSS en el URI /NAGErrors en NetIQ Access Manager 4.2 y 4.3 porque las páginas de Access Gateway Error no validan el encabezado HTTP Referer. • http://www.securityfocus.com/bid/98093 https://www.novell.com/support/kb/doc.php?id=7018793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-5183
https://notcve.org/view.php?id=CVE-2017-5183
NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as an Identity Server, has XSS in the AssertionConsumerServiceURL field of a signed AuthnRequest in a samlp:AuthnRequest document. NetIQ Access Manager 4.2.2 y 4.3.x en versiones anteriores a 4.3.1+, cuando está configurado como Identity Server, tiene XSS en el campo AssertionConsumerServiceURL de un AuthnRequest firmado en un documento samlp: AuthnRequest. • https://www.novell.com/support/kb/doc.php?id=7018509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-5190
https://notcve.org/view.php?id=CVE-2017-5190
NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile. NetIQ Access Manager 4.2 en versiones anteriores a SP3 HF1 y 4.3 en versiones anteriores a SP1 HF1 cuando está configurado como un SAML 2.0 Identity Server con Virtual Attributes, tiene un problema de concurrencia causando la fuga de información, relacionado con un perfil obsoleto. • http://www.securityfocus.com/bid/97965 http://www.securitytracker.com/id/1038338 https://www.novell.com/support/kb/doc.php?id=7018792 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •