CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5752
https://notcve.org/view.php?id=CVE-2016-5752
The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious "Assertion Consumer Service URL" instead of the original requester. La implementación SAML2 en Identity Server en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 HF1 y 4.2 en versiones anteriores a 4.2.2 estaba manejando incorrectamente las solicitudes SAML no firmadas, filtrando los resultados a una "Assertion Consumer Service URL" potencialmente maliciosa en lugar de al solicitante original. • https://www.novell.com/support/kb/doc.php?id=7017809 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5758
https://notcve.org/view.php?id=CVE-2016-5758
A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load. Un mecanismo de protección contra CSRF en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 Hot Fix 1 y 4.2 en versiones anteriores a 4.2.2 podría ser eludido por subidas repetidas provocando una carga alta. • http://www.securityfocus.com/bid/97035 https://www.novell.com/support/kb/doc.php?id=7017817 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 5CVE-2014-9412 – NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-9412
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216. Los dispositivos Cisco-Meraki MS, MR y MX con firmware anrerior a 2014-09-24 permiten a atacantes remotos obtener información sensible de credenciales aprovechando un manejador de acceso HTTP no especificado em ña red local, también conocido como Cisco-Meraki defect ID 00302012. • https://www.exploit-db.com/exploits/35594 http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015994 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 6CVE-2014-5216 – NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-5216
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412. Múltiples vulnerabilidades XSS en NetIQ Access Manager (NAM) 4.x anterior a 4.0.1 HF3 permite a atacantes remotos inyectar scripts arbitrarios o HTML mediante (1) el parámetro de ubicación en una acción dev.Empty hacia nps/servlet/webacc, (2) el parámetro error hacia nidp/jsp/x509err.jsp, (3) el parámetro lang hacia sslvpn/applet_agent.jsp o (4) el parámetro secureLoggingServersA hacia roma/system/cntl, un problema distinto de CVE-2014-9412. NetIQ Access Manager version 4.0 SP1 suffers from cross site request forgery, external entity injection, information disclosure, and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/35594 http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015994 https://www.novell.com/support/kb/doc.php?id=7015996 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 4CVE-2014-5217 – NetIQ Access Manager 4.0 SP1 XSS / CSRF / XXE Injection / Disclosure
https://notcve.org/view.php?id=CVE-2014-5217
Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action. Vulnerabilidad de CSRF en nps/servlet/webacc en el servidor Administration Console en NetIQ Access Manager (NAM) 4.x anterior a 4.1 permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que cambian la contraseña administrativa mediante una acción fw.SetPassword. NetIQ Access Manager version 4.0 SP1 suffers from cross site request forgery, external entity injection, information disclosure, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015997 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-352: Cross-Site Request Forgery (CSRF) •