CVE-2017-14799 – XSS Vulnerability with ESP URL
https://notcve.org/view.php?id=CVE-2017-14799
A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page. Un ataque de Cross-Site Scripting (XSS) en la gestión del parámetro ESP login en NetIQ Access Manager, en versiones anteriores a la 4.3.3, podría emplearse para inyectar código JavaScript en la página de inicio de sesión. • https://www.novell.com/support/kb/doc.php?id=7022358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-14800 – Reflected xss on Access Manager iManager UI
https://notcve.org/view.php?id=CVE-2017-14800
A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users. Un ataque de Cross-Site Scripting (XSS) reflejado en NetIQ Access Manager, en versiones anteriores a la 4.3.3, al emplear el parámetro "typecontainerid" del editor de políticas, podría permitir la inyección de código en páginas de usuarios autenticados. • https://www.novell.com/support/kb/doc.php?id=7022356 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-7426 – iManager - XML External Entity vulnerabilities
https://notcve.org/view.php?id=CVE-2017-7426
The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks. NetIQ Identity Manager Plugins, en versiones anteriores a la 4.6.1, contenía varios errores de gestión de XEE (XML External Entity) que podrían ser empleados por atacantes para filtrar información o provocar ataques de denegación de servicio (DoS). • https://www.novell.com/support/kb/doc.php?id=7021173 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2018-1342 – Novell NetIQ Access Manager FwRequest Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-1342
A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console. Existe una vulnerabilidad en Admin Console en la que un atacante puede subir archivos en el servidor de Admin Console y ejecutarlos. Esto provoca un impacto en las versiones 4.3 y 4.4 de NetIQ Access Manager, así como la consola de administración. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ Access Manager. • https://www.novell.com/support/kb/doc.php?id=7022444 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2017-14803 – Novell NetIQ Access Manager OspUIBasicSSODownload Servlet fileInfo1 Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-14803
In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server when accessing a basic SSO connector and downloading the BasicSSO connector plugins on IE11 where an attacker can execute arbitrary code on the system. En NetIQ Access Manager 4.3 y 4.4, existe un error en Identity Server al acceder a un conector SSO básico y descargar los plugins BasicSSO connector en IE11, donde un atacante puede ejecutar código arbitrario en el sistema. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Novell NetIQ Access Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloadBasicSSOServlet servlet. When parsing the fileInfo1 parameter, the process does not properly validate a user-supplied path prior to using it in file operations. • https://www.novell.com/support/kb/doc.php?id=7022443 •