CVE-2016-5756
https://notcve.org/view.php?id=CVE-2016-5756
Multiple components of the web tools in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 were vulnerable to Reflected Cross Site Scripting attacks which could be used to hijack user sessions: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp, and roma/jsp/volsc/monitoring/graph.jsp. Múltiples componentes de la herramientas web en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 Hot Fix 1 y 4.2 en versiones anteriores a 4.2.2 eran vulnerables a ataques de XSS reflejados los cuales podían ser empleados para secuestrar la sesiones del usuario: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp y roma/jsp/volsc/monitoring/graph.jsp. • https://www.novell.com/support/kb/doc.php?id=7017813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-5752
https://notcve.org/view.php?id=CVE-2016-5752
The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious "Assertion Consumer Service URL" instead of the original requester. La implementación SAML2 en Identity Server en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 HF1 y 4.2 en versiones anteriores a 4.2.2 estaba manejando incorrectamente las solicitudes SAML no firmadas, filtrando los resultados a una "Assertion Consumer Service URL" potencialmente maliciosa en lugar de al solicitante original. • https://www.novell.com/support/kb/doc.php?id=7017809 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5758
https://notcve.org/view.php?id=CVE-2016-5758
A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load. Un mecanismo de protección contra CSRF en NetIQ Access Manager 4.1 en versiones anteriores a 4.1.2 Hot Fix 1 y 4.2 en versiones anteriores a 4.2.2 podría ser eludido por subidas repetidas provocando una carga alta. • http://www.securityfocus.com/bid/97035 https://www.novell.com/support/kb/doc.php?id=7017817 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-9412 – NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-9412
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216. Los dispositivos Cisco-Meraki MS, MR y MX con firmware anrerior a 2014-09-24 permiten a atacantes remotos obtener información sensible de credenciales aprovechando un manejador de acceso HTTP no especificado em ña red local, también conocido como Cisco-Meraki defect ID 00302012. • https://www.exploit-db.com/exploits/35594 http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015994 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-5216 – NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-5216
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412. Múltiples vulnerabilidades XSS en NetIQ Access Manager (NAM) 4.x anterior a 4.0.1 HF3 permite a atacantes remotos inyectar scripts arbitrarios o HTML mediante (1) el parámetro de ubicación en una acción dev.Empty hacia nps/servlet/webacc, (2) el parámetro error hacia nidp/jsp/x509err.jsp, (3) el parámetro lang hacia sslvpn/applet_agent.jsp o (4) el parámetro secureLoggingServersA hacia roma/system/cntl, un problema distinto de CVE-2014-9412. NetIQ Access Manager version 4.0 SP1 suffers from cross site request forgery, external entity injection, information disclosure, and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/35594 http://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html http://seclists.org/fulldisclosure/2014/Dec/78 https://www.novell.com/support/kb/doc.php?id=7015994 https://www.novell.com/support/kb/doc.php?id=7015996 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •