CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5752
https://notcve.org/view.php?id=CVE-2016-5752
The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious "Assertion Consumer Service URL" instead of the original requester. La implementación SAML2 en Identity Server en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 HF1 y 4.2 en versiones anteriores a 4.2.2 estaba manejando incorrectamente las solicitudes SAML no firmadas, filtrando los resultados a una "Assertion Consumer Service URL" potencialmente maliciosa en lugar de al solicitante original. • https://www.novell.com/support/kb/doc.php?id=7017809 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5749
https://notcve.org/view.php?id=CVE-2016-5749
NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack. NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 HF 1 y 4.2 en versiones anteriores a 4.2.2 analizaba solicitudes SAML entrantes con la resolución de entidad externa habilitada, lo que puede conducir a la divulgación de archivos locales a través de un ataque de XXE. • https://www.novell.com/support/kb/doc.php?id=7017806 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5750
https://notcve.org/view.php?id=CVE-2016-5750
The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users. La función de carga de certificados en iManager en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 Hot Fix 1 y 4.2 en versiones anteriores a 4.2.2 podría utilizarse para cargar páginas JSP que se ejecutarían como usuario iManager, permitiendo la ejecución de código por usuarios remotos conectados. • https://www.novell.com/support/kb/doc.php?id=7017807 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 5CVE-2014-9412 – NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-9412
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216. Los dispositivos Cisco-Meraki MS, MR y MX con firmware anrerior a 2014-09-24 permiten a atacantes remotos obtener información sensible de credenciales aprovechando un manejador de acceso HTTP no especificado em ña red local, también conocido como Cisco-Meraki defect ID 00302012. • https://www.exploit-db.com/exploits/35594 http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015994 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 4CVE-2014-5214 – NetIQ Access Manager 4.0 SP1 XSS / CSRF / XXE Injection / Disclosure
https://notcve.org/view.php?id=CVE-2014-5214
nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. nps/servlet/webacc en iManager en el servidor Administration Console de NetIQ Access Manager (NAM) 4.x anterior a 4.0.1 HF3 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un parámetro en la consulta que contenga una declaración de identidad XML externa junto con una referencia a una entidad, relacionada con el error XML External Entity (XXE) NetIQ Access Manager version 4.0 SP1 suffers from cross site request forgery, external entity injection, information disclosure, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015993 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt •