Access Manager
by Microfocus
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14802 | Med | 0.35 | 5.4 | 0.01 | Mar 2, 2018 | Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites. | ||
| CVE-2017-14800 | Med | 0.35 | 5.4 | 0.01 | Mar 1, 2018 | A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users. | ||
| CVE-2017-7419 | Med | 0.30 | 4.6 | 0.01 | Mar 2, 2018 | A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 before 4.2.4 allowed cross site scripting attacks due to unescaped "description" field that could be specified by the provider. | ||
| CVE-2017-14801 | Med | 0.30 | 4.6 | 0.01 | Mar 2, 2018 | Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attackers to reflect back xss into the called page using the url parameter. | ||
| CVE-2017-14799 | Med | 0.30 | 4.6 | 0.01 | Mar 1, 2018 | A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page. | ||
| CVE-2018-7678 | Low | 0.23 | 3.5 | 0.01 | Mar 14, 2018 | A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4. | ||
| CVE-2018-7677 | Low | 0.23 | 3.5 | 0.01 | Mar 14, 2018 | A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component. | ||
| CVE-2017-5190 | Low | 0.20 | 3.1 | 0.01 | Apr 20, 2017 | NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile. | ||
| CVE-2014-9412 | 0.03 | — | 0.03 | Dec 23, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to… | |||
| CVE-2014-5216 | 0.03 | — | 0.03 | Dec 23, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to… | |||
| CVE-2000-0516 | 0.03 | — | 0.01 | Jun 6, 2000 | When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server. | |||
| CVE-2021-22531 | 0.00 | — | 0.01 | May 12, 2022 | A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability. This affects NetIQ Access Manager 4.5 and 5.0 | |||
| CVE-2020-25840 | 0.00 | — | 0.01 | Mar 26, 2021 | Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction. | |||
| CVE-2021-22496 | 0.00 | — | 0.01 | Mar 25, 2021 | Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3. The vulnerability could cause information leakage. | |||
| CVE-2018-18255 | 0.00 | — | 0.00 | Mar 15, 2019 | An issue was discovered in CapMon Access Manager 5.4.1.1005. The client applications of AccessManagerCoreService.exe communicate with this server through named pipes. A user can initiate communication with the server by creating a named pipe and sending commands to achieve… | |||
| CVE-2018-18252 | 0.00 | — | 0.00 | Mar 15, 2019 | An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides "NT AUTHORITY\SYSTEM" access to unprivileged users via the --system option. | |||
| CVE-2018-18254 | 0.00 | — | 0.00 | Mar 15, 2019 | An issue was discovered in CapMon Access Manager 5.4.1.1005. An unprivileged user can read the cal_whitelist table in the Custom App Launcher (CAL) database, and potentially gain privileges by placing a Trojan horse program at an app pathname. | |||
| CVE-2018-18253 | 0.00 | — | 0.00 | Mar 15, 2019 | An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe attempts to enforce access control by adding an unprivileged user to the local Administrators group for a very short time to execute a single command. However, the user is left in that group if the… | |||
| CVE-2018-18256 | 0.00 | — | 0.00 | Mar 15, 2019 | An issue was discovered in CapMon Access Manager 5.4.1.1005. A regular user can obtain local administrator privileges if they run any whitelisted application through the Custom App Launcher. | |||
| CVE-2014-5217 | 0.00 | — | 0.01 | Dec 23, 2014 | Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via… |
- risk 0.35cvss 5.4epss 0.01
Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites.
- risk 0.35cvss 5.4epss 0.01
A reflected cross site scripting attack in the NetIQ Access Manager before 4.3.3 using the "typecontainerid" parameter of the policy editor could allowed code injection into pages of authenticated users.
- risk 0.30cvss 4.6epss 0.01
A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 before 4.2.4 allowed cross site scripting attacks due to unescaped "description" field that could be specified by the provider.
- risk 0.30cvss 4.6epss 0.01
Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attackers to reflect back xss into the called page using the url parameter.
- risk 0.30cvss 4.6epss 0.01
A cross site scripting attack in handling the ESP login parameter handling in NetIQ Access Manager before 4.3.3 could be used to inject javascript code into the login page.
- risk 0.23cvss 3.5epss 0.01
A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4.
- risk 0.23cvss 3.5epss 0.01
A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.
- risk 0.20cvss 3.1epss 0.01
NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile.
- CVE-2014-9412Dec 23, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to…
- CVE-2014-5216Dec 23, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to…
- CVE-2000-0516Jun 6, 2000risk 0.03cvss —epss 0.01
When configured to store configuration information in an LDAP directory, Shiva Access Manager 5.0.0 stores the root DN (Distinguished Name) name and password in cleartext in a file that is world readable, which allows local users to compromise the LDAP server.
- CVE-2021-22531May 12, 2022risk 0.00cvss —epss 0.01
A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability. This affects NetIQ Access Manager 4.5 and 5.0
- CVE-2020-25840Mar 26, 2021risk 0.00cvss —epss 0.01
Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction.
- CVE-2021-22496Mar 25, 2021risk 0.00cvss —epss 0.01
Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3. The vulnerability could cause information leakage.
- CVE-2018-18255Mar 15, 2019risk 0.00cvss —epss 0.00
An issue was discovered in CapMon Access Manager 5.4.1.1005. The client applications of AccessManagerCoreService.exe communicate with this server through named pipes. A user can initiate communication with the server by creating a named pipe and sending commands to achieve…
- CVE-2018-18252Mar 15, 2019risk 0.00cvss —epss 0.00
An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides "NT AUTHORITY\SYSTEM" access to unprivileged users via the --system option.
- CVE-2018-18254Mar 15, 2019risk 0.00cvss —epss 0.00
An issue was discovered in CapMon Access Manager 5.4.1.1005. An unprivileged user can read the cal_whitelist table in the Custom App Launcher (CAL) database, and potentially gain privileges by placing a Trojan horse program at an app pathname.
- CVE-2018-18253Mar 15, 2019risk 0.00cvss —epss 0.00
An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe attempts to enforce access control by adding an unprivileged user to the local Administrators group for a very short time to execute a single command. However, the user is left in that group if the…
- CVE-2018-18256Mar 15, 2019risk 0.00cvss —epss 0.00
An issue was discovered in CapMon Access Manager 5.4.1.1005. A regular user can obtain local administrator privileges if they run any whitelisted application through the Custom App Launcher.
- CVE-2014-5217Dec 23, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via…
Page 2 of 3