CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Netiq » Access Manager : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-7678 79 XSS 2018-03-14 2019-10-09
3.5
None Remote Medium Single system None Partial None
A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4.
2 CVE-2018-7677 352 CSRF 2018-03-14 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.
3 CVE-2018-1342 434 2018-01-25 2018-02-13
7.5
None Remote Low Not required Partial Partial Partial
A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console.
4 CVE-2017-14803 Exec Code 2018-01-19 2019-10-02
10.0
None Remote Low Not required Complete Complete Complete
In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server when accessing a basic SSO connector and downloading the BasicSSO connector plugins on IE11 where an attacker can execute arbitrary code on the system.
5 CVE-2017-14802 601 2018-03-02 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites.
6 CVE-2017-14801 79 XSS 2018-03-02 2019-10-09
4.3
None Remote Medium Not required None Partial None
Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attackers to reflect back xss into the called page using the url parameter.
7 CVE-2017-14800 79 XSS 2018-03-01 2019-10-09
4.3
None Remote Medium Not required None Partial None
A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users.
8 CVE-2017-14799 79 XSS 2018-03-01 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page.
9 CVE-2017-9276 79 XSS 2018-03-02 2019-10-09
4.3
None Remote Medium Not required None Partial None
Novell Access Manager iManager before 4.3.3 did not validate parameters so that cross site scripting content could be reflected back into the result page using the "a" parameter.
10 CVE-2017-5191 79 XSS 2017-04-24 2017-05-02
4.3
None Remote Medium Not required None Partial None
An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 and 4.3 exists because Access Gateway Error pages do not validate the HTTP Referer header.
11 CVE-2017-5190 200 +Info 2017-04-20 2017-07-10
3.5
None Remote Medium Single system Partial None None
NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile.
12 CVE-2017-5183 79 XSS 2017-04-20 2017-04-26
4.3
None Remote Medium Not required None Partial None
NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as an Identity Server, has XSS in the AssertionConsumerServiceURL field of a signed AuthnRequest in a samlp:AuthnRequest document.
13 CVE-2016-5758 352 CSRF 2017-03-23 2019-04-23
6.8
None Remote Medium Not required Partial Partial Partial
A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load.
14 CVE-2016-5757 200 +Info 2017-03-23 2017-03-24
7.5
None Remote Low Not required Partial Partial Partial
iManager Admin Console in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to iFrame manipulation attacks, which could allow remote users to gain access to authentication credentials.
15 CVE-2016-5756 79 XSS 2017-03-23 2017-03-24
4.3
None Remote Medium Not required None Partial None
Multiple components of the web tools in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 were vulnerable to Reflected Cross Site Scripting attacks which could be used to hijack user sessions: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp, and roma/jsp/volsc/monitoring/graph.jsp.
16 CVE-2016-5755 20 2017-03-23 2017-03-24
4.3
None Remote Medium Not required None Partial None
NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to clickjacking attacks due to a missing SAMEORIGIN filter in the "high encryption" setting.
17 CVE-2016-5754 200 +Info 2017-03-23 2017-03-24
5.0
None Remote Low Not required Partial None None
Presence of a .htaccess file could leak information in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before SP2.
18 CVE-2016-5752 200 +Info 2017-03-23 2017-03-24
5.0
None Remote Low Not required Partial None None
The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious "Assertion Consumer Service URL" instead of the original requester.
19 CVE-2016-5751 79 XSS 2017-03-23 2017-03-24
4.3
None Remote Medium Not required None Partial None
An unfiltered finalizer target URL in the SAML processing feature in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 could be used to trigger XSS and leak authentication credentials.
20 CVE-2016-5750 284 Exec Code 2017-03-23 2017-03-24
6.5
None Remote Low Single system Partial Partial Partial
The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.
21 CVE-2016-5749 611 2017-03-23 2017-03-24
2.1
None Local Low Not required Partial None None
NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.
22 CVE-2016-5748 611 2017-03-23 2017-03-24
2.1
None Local Low Not required Partial None None
External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.
23 CVE-2014-9412 79 XSS 2014-12-23 2014-12-23
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216.
24 CVE-2014-5217 352 CSRF 2014-12-23 2014-12-23
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action.
25 CVE-2014-5216 79 XSS 2014-12-23 2014-12-23
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412.
26 CVE-2014-5215 200 +Info 2014-12-23 2014-12-23
4.0
None Remote Low Single system Partial None None
NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated administrators to discover service-account passwords via a request to (1) roma/jsp/volsc/monitoring/dev_services.jsp or (2) roma/jsp/debug/debug.jsp.
27 CVE-2014-5214 2014-12-23 2014-12-23
4.0
None Remote Low Single system Partial None None
nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Total number of vulnerabilities : 27   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.