Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в NetIQ Access Manager
Опубликовано:22 декабря 2014 г.
Источник:
SecurityVulns ID:14157
Тип:удаленная
Уровень опасности:
6/10
Описание:XXE, CSRF, XXS, раскрытие информации.
Затронутые продукты:NETIQ : NetIQ Access Manager 4.0
CVE:CVE-2014-5217 (Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action.)
 CVE-2014-5216 (Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412.)
 CVE-2014-5215 (NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated administrators to discover service-account passwords via a request to (1) roma/jsp/volsc/monitoring/dev_services.jsp or (2) roma/jsp/debug/debug.jsp.)
 CVE-2014-5214 (nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.)
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20141218-2 :: Multiple high risk vulnerabilities in NetIQ Access Manager (22.12.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород