Micro Focus Micro Focus Digital Transformation and Enterprise Software Modernization

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Micro Focus product.

Products by Micro Focus Sorted by Most Security Vulnerabilities since 2018

Micro Focus Access Manager16 vulnerabilities

Micro Focus Edirectory16 vulnerabilities

Micro Focus Arcsight Logger9 vulnerabilities

Micro Focus Filr4 vulnerabilities

Micro Focus Dimensions Cm3 vulnerabilities

Micro Focus Operations Agent3 vulnerabilities

Micro Focus Groupwise2 vulnerabilities

Micro Focus Imanager2 vulnerabilities

Micro Focus Cobol Server2 vulnerabilities

Micro Focus Visual Cobol2 vulnerabilities

Micro Focus Zenworks1 vulnerability

By the Year

In 2024 there have been 25 vulnerabilities in Micro Focus with an average score of 6.9 out of ten. Last year Micro Focus had 13 security vulnerabilities published. That is, 12 more vulnerabilities have already been reported in 2024 as compared to last year. Last year, the average CVE base score was greater by 0.55

Year Vulnerabilities Average Score
2024 25 6.93
2023 13 7.48
2022 15 6.15
2021 37 7.04
2020 28 6.99
2019 34 7.29
2018 37 7.68

It may take a day or so for new Micro Focus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Micro Focus Security Vulnerabilities

OpenText ArcSight XSS Vulnerability - November 2024

CVE-2024-9841 6.1 - Medium - November 08, 2024

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.

XSS

OpenText iManager XSS via Input Validation

CVE-2020-11859 5.4 - Medium - November 06, 2024

Improper Input Validation vulnerability in OpenText iManager allows Cross-Site Scripting (XSS). This issue affects iManager before 3.2.3

XSS

Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools

CVE-2024-4211 2.4 - Low - October 16, 2024

Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools allows Exploiting Incorrectly Configured Access Control Security Levels. Multiple missing permission checks - ALM job config has been discovered in OpenText Application Automation Tools. The vulnerability could allow users with Overall/Read permission to enumerate ALM server names, usernames and client IDs configured to be used with ALM servers. This issue affects OpenText Application Automation Tools: 24.1.0 and below.

Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools

CVE-2024-4692 2.4 - Low - October 16, 2024

Improper Validation of Specified Quantity in Input vulnerability in OpenText OpenText Application Automation Tools allows Exploiting Incorrectly Configured Access Control Security Levels. Multiple missing permission checks - Service Virtualization config has been discovered in in OpenText Application Automation Tools. The vulnerability could allow users with Overall/Read permission to enumerate Service Virtualization server names. This issue affects OpenText Application Automation Tools: 24.1.0 and below.

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools

CVE-2024-4184 8 - High - October 16, 2024

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.

XXE

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools

CVE-2024-4189 8 - High - October 16, 2024

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.

XXE

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools

CVE-2024-4690 8 - High - October 16, 2024

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.

XXE

Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.3.0000.

CVE-2021-22503 6.1 - Medium - September 12, 2024

Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.3.0000.

XSS

Possible NLDAP Denial of Service attack Vulnerability in eDirectory has been discovered in OpenText eDirectory before 9.2.4.0000.

CVE-2021-22532 7.5 - High - September 12, 2024

Possible NLDAP Denial of Service attack Vulnerability in eDirectory has been discovered in OpenText eDirectory before 9.2.4.0000.

Allocation of Resources Without Limits or Throttling

Possible Insertion of Sensitive Information into Log File Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.4.0000.

CVE-2021-22533 9.1 - Critical - September 12, 2024

Possible Insertion of Sensitive Information into Log File Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.4.0000.

Insertion of Sensitive Information into Log File

Possible Cross-Site Scripting (XSS) Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.5.0000.

CVE-2021-38131 6.1 - Medium - September 12, 2024

Possible Cross-Site Scripting (XSS) Vulnerability in eDirectory has been discovered in OpenText eDirectory 9.2.5.0000.

XSS

Possible External Service Interaction attack in eDirectory has been discovered in OpenText eDirectory

CVE-2021-38132 9.8 - Critical - September 12, 2024

Possible External Service Interaction attack in eDirectory has been discovered in OpenText eDirectory. This impact all version before 9.2.6.0000.

XSPA

Possible External Service Interaction attack in eDirectory has been discovered in OpenText eDirectory

CVE-2021-38133 6.5 - Medium - September 12, 2024

Possible External Service Interaction attack in eDirectory has been discovered in OpenText eDirectory. This impact all version before 9.2.6.0000.

Weak Password Requirements

A vulnerability identified in storing and reusing information in Advance Authentication

CVE-2021-22509 6.5 - Medium - August 28, 2024

A vulnerability identified in storing and reusing information in Advance Authentication. This issue can lead to leakage of sensitive data to unauthorized user. The issue affects NetIQ Advance Authentication before 6.3.5.1

Cleartext Storage of Sensitive Information

A vulnerability identified in NetIQ Advance Authentication that leaks sensitive server information

CVE-2021-22529 5.5 - Medium - August 28, 2024

A vulnerability identified in NetIQ Advance Authentication that leaks sensitive server information. This issue affects NetIQ Advance Authentication version before 6.3.5.1

Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices

CVE-2021-38121 8.8 - High - August 28, 2024

Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices.  This issue affects NetIQ Advance Authentication versions before 6.3.5.1

Inadequate Encryption Strength

A Cross-Site Scripting vulnerable identified in NetIQ Advance Authentication

CVE-2021-38122 8.2 - High - August 28, 2024

A Cross-Site Scripting vulnerable identified in NetIQ Advance Authentication that impacts the server functionality and disclose sensitive information. This issue affects NetIQ Advance Authentication before 6.3.5.1

XSS

A vulnerability identified in NetIQ Advance Authentication

CVE-2021-22530 9.9 - Critical - August 28, 2024

A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1

Improper Restriction of Excessive Authentication Attempts

A vulnerability identified in Advance Authentication

CVE-2021-38120 7.2 - High - August 28, 2024

A vulnerability identified in Advance Authentication that allows bash command Injection in administrative controlled functionality of backup due to improper handling in provided command parameters. This issue affects NetIQ Advance Authentication version before 6.3.5.1.

Command Injection

Improper Input Validation vulnerability in OpenText NetIQ Access Manager leads to Cross-Site Scripting (XSS) attack

CVE-2024-4554 5.4 - Medium - August 28, 2024

Improper Input Validation vulnerability in OpenText NetIQ Access Manager leads to Cross-Site Scripting (XSS) attack. This issue affects NetIQ Access Manager before 5.0.4.1 and 5.1.

XSS

Improper Privilege Management vulnerability in OpenText NetIQ Access Manager allows user account impersonation in specific scenario

CVE-2024-4555 7.5 - High - August 28, 2024

Improper Privilege Management vulnerability in OpenText NetIQ Access Manager allows user account impersonation in specific scenario. This issue affects NetIQ Access Manager before 5.0.4.1 and before 5.1

Improper Privilege Management

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText NetIQ Access Manager

CVE-2024-4556 7.5 - High - August 28, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText NetIQ Access Manager allows access the sensitive information. This issue affects NetIQ Access Manager before 5.0.4 and before 5.1.

Directory traversal

A vulnerability found in OpenText Privileged Access Manager that issues a token

CVE-2020-11846 7.5 - High - August 21, 2024

A vulnerability found in OpenText Privileged Access Manager that issues a token. on successful issuance of the token, a cookie gets set that allows unrestricted access to all the application resources. This issue affects Privileged Access Manager before 3.7.0.1.

SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash

CVE-2020-11847 7.8 - High - August 21, 2024

SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1.

Shell injection

Improper Input Validation vulnerability in OpenText Self Service Password Reset allows Cross-Site Scripting (XSS)

CVE-2020-11850 6.1 - Medium - August 21, 2024

Improper Input Validation vulnerability in OpenText Self Service Password Reset allows Cross-Site Scripting (XSS). This issue affects Self Service Password Reset before 4.5.0.2 and 4.4.0.6

XSS

A potential vulnerability has been identified in Micro Focus ArcSight Management Center

CVE-2020-25835 5.4 - Medium - December 09, 2023

A potential vulnerability has been identified in Micro Focus ArcSight Management Center. The vulnerability could be remotely exploited resulting in stored Cross-Site Scripting (XSS).

XSS

Exposure of Proxy Administrator Credentials An authenticated administrator equivalent Filr user

CVE-2023-32268 7.2 - High - December 06, 2023

Exposure of Proxy Administrator Credentials An authenticated administrator equivalent Filr user can access the credentials of proxy administrators.

Insufficiently Protected Credentials

Incorrect Privilege Assignment vulnerability in opentext Fortify ScanCentral DAST

CVE-2023-5913 9.8 - Critical - November 08, 2023

Incorrect Privilege Assignment vulnerability in opentext Fortify ScanCentral DAST. The vulnerability could be exploited to gain elevated privileges.This issue affects Fortify ScanCentral DAST versions 21.1, 21.2, 21.2.1, 22.1, 22.1.1, 22.2, 23.1.

Potential open redirect vulnerability in opentext Service Management Automation X (SMAX) versions 2020.05

CVE-2023-4964 6.1 - Medium - October 30, 2023

Potential open redirect vulnerability in opentext Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11 and opentext Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11. The vulnerability could allow attackers to redirect a user to malicious websites.

Open Redirect

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL

CVE-2023-4501 9.8 - Critical - September 12, 2023

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.

authentification

A potential vulnerability has been identified in OpenText / Micro Focus ArcSight Management Center

CVE-2023-32267 8.8 - High - August 11, 2023

A potential vulnerability has been identified in OpenText / Micro Focus ArcSight Management Center. The vulnerability could be remotely exploited.

A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server

CVE-2023-32265 6.5 - Medium - July 20, 2023

A potential security vulnerability has been identified in the Enterprise Server Common Web Administration (ESCWA) component used in Enterprise Server, Enterprise Test Server, Enterprise Developer, Visual COBOL, and COBOL Server. An attacker would need to be authenticated into ESCWA to attempt to exploit this vulnerability. As described in the hardening guide in the product documentation, other mitigations including restricting network access to ESCWA and restricting usersâ permissions in the Micro Focus Directory Server also reduce the exposure to this issue. Given the right conditions this vulnerability could be exploited to expose a service account password. The account corresponding to the exposed credentials usually has limited privileges and, in many cases would only be useful for extracting details of other user accounts and similar information.

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins

CVE-2023-32261 6.5 - Medium - July 19, 2023

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins

CVE-2023-32262 6.5 - Medium - July 19, 2023

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. See the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins

CVE-2023-32263 5.7 - Medium - July 19, 2023

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability could be exploited to retrieve a login certificate if an authenticated user is duped into using an attacker-controlled Dimensions CM server. This vulnerability only applies when the Jenkins plugin is configured to use login certificate credentials. https://www.jenkins.io/security/advisory/2023-06-14/

Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0.

CVE-2023-24470 9.1 - Critical - June 13, 2023

Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0.

XXE

Potential Cross-Site Scripting in ArcSight Logger versions prior to 7.3.0

CVE-2023-24469 6.1 - Medium - June 13, 2023

Potential Cross-Site Scripting in ArcSight Logger versions prior to 7.3.0

XSS

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

CVE-2023-24468 9.8 - Critical - March 15, 2023

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions

CVE-2022-38757 7.2 - High - December 23, 2022

A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions. This vulnerability allows administrators with rights to perform actions (e.g., install a bundle) on a set of managed devices, to be able to exercise these rights on managed devices in the ZENworks zone but which are outside the scope of the administrator. This vulnerability does not result in the administrators gaining additional rights on the managed devices, either in the scope or outside the scope of the administrator.

Improper Privilege Management

A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2

CVE-2022-38756 4.3 - Medium - December 16, 2022

A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.

Insertion of Sensitive Information into Log File

A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized

CVE-2022-38754 5.4 - Medium - December 08, 2022

A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized. The vulnerability could be exploited by a malicious authenticated OBM (Operations Bridge Manager) user to run Java Scripts in the browser context of another OBM user. Please note: The vulnerability is only applicable if the Operations Bridge Manager capability is deployed. A potential vulnerability has been identified in Micro Focus Operations Bridge Manager (OBM). The vulnerability could be exploited by a malicious authenticated OBM user to run Java Scripts in the browser context of another OBM user. This issue affects: Micro Focus Micro Focus Operations Bridge Manager versions prior to 2022.11. Micro Focus Micro Focus Operations Bridge- Containerized versions prior to 2022.11.

XSS

This update resolves a multi-factor authentication bypass attack

CVE-2022-38753 6.3 - Medium - November 28, 2022

This update resolves a multi-factor authentication bypass attack

A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1

CVE-2022-38755 5.3 - Medium - November 21, 2022

A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1. The vulnerability could be exploited to allow a remote unauthenticated attacker to enumerate valid users of the system. Remote unauthenticated user enumeration. This issue affects: Micro Focus Filr versions prior to 4.3.1.1.

Potential vulnerabilities have been identified in Micro Focus ArcSight Logger

CVE-2022-26330 7.5 - High - August 31, 2022

Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.

Potential vulnerabilities have been identified in Micro Focus ArcSight Logger

CVE-2022-26331 6.1 - Medium - August 31, 2022

Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.

XSS

A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability

CVE-2021-22531 6.1 - Medium - May 12, 2022

A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability. This affects NetIQ Access Manager 4.5 and 5.0

XSS

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2

CVE-2022-26325 6.1 - Medium - May 02, 2022

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2

XSS

Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2

CVE-2022-26326 6.1 - Medium - May 02, 2022

Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2

Open Redirect

Unauthenticated remote code execution in Micro Focus Operations Bridge containerized, affecting versions 2021.05, 2021.08, and newer versions of Micro Focus Operations Bridge containerized if the deployment was upgraded

CVE-2021-38125 9.8 - Critical - April 11, 2022

Unauthenticated remote code execution in Micro Focus Operations Bridge containerized, affecting versions 2021.05, 2021.08, and newer versions of Micro Focus Operations Bridge containerized if the deployment was upgraded from 2021.05 or 2021.08. The vulnerability could be exploited to unauthenticated remote code execution.

A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1

CVE-2021-38130 6.5 - Medium - February 04, 2022

A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack.

Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21

CVE-2021-38129 3.3 - Low - January 25, 2022

Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21. The vulnerability could be exploited by a non-privileged local user to access system monitoring data collected by Operations Agent.

Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x

CVE-2021-38126 6.1 - Medium - January 14, 2022

Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).

XSS

Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x

CVE-2021-38127 6.1 - Medium - January 14, 2022

Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).

XSS

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product

CVE-2021-22535 4.9 - Medium - September 28, 2021

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.

AuthZ

Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5

CVE-2021-38124 9.8 - Critical - September 28, 2021

Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution.

Command Injection

Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

CVE-2021-22524 4.9 - Medium - September 13, 2021

Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

aka Blind XPath Injection

Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

CVE-2021-22526 6.1 - Medium - September 13, 2021

Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

Open Redirect

Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

CVE-2021-22527 7.5 - High - September 13, 2021

Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

CVE-2021-22528 5.4 - Medium - September 13, 2021

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

XSS

Open Redirect vulnerability in Micro Focus Network Automation

CVE-2021-38123 6.1 - Medium - September 07, 2021

Open Redirect vulnerability in Micro Focus Network Automation, affecting Network Automation versions 10.4x, 10.5x, 2018.05, 2018.11, 2019.05, 2020.02, 2020.08, 2020.11, 2021.05. The vulnerability could allow redirect users to malicious websites after authentication.

Open Redirect

This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1

CVE-2021-22525 5.5 - Medium - September 02, 2021

This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1

A potential unauthorized privilege escalation vulnerability has been identified in Micro Focus Data Protector

CVE-2021-22517 8.8 - High - August 05, 2021

A potential unauthorized privilege escalation vulnerability has been identified in Micro Focus Data Protector. The vulnerability affects versions 10.10, 10.20, 10.30, 10.40, 10.50, 10.60, 10.70, 10.80, 10.0 and 10.91. A privileged user may potentially misuse this feature and thus allow unintended and unauthorized access of data.

A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management

CVE-2021-22521 6.7 - Medium - July 30, 2021

A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.

AuthZ

Reflected Cross-Site Scripting vulnerability in Micro Focus Verastream Host Integrator

CVE-2021-22522 7.1 - High - July 22, 2021

Reflected Cross-Site Scripting vulnerability in Micro Focus Verastream Host Integrator, affecting version version 7.8 Update 1 and earlier versions. The vulnerability could allow disclosure of confidential data.

XSS

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions

CVE-2021-22523 7.6 - High - July 22, 2021

XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions.

XXE

Multi-Factor Authentication (MFA) functionality can be bypassed

CVE-2021-22515 6.5 - Medium - July 12, 2021

Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1.

AuthZ

Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0

CVE-2021-22516 7.5 - High - June 04, 2021

Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0. The vulnerability could lead to sensitive information being in a log file.

Insertion of Sensitive Information into Log File

Execute arbitrary code vulnerability in Micro Focus SiteScope product

CVE-2021-22519 9.8 - Critical - May 28, 2021

Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). The vulnerability could allow remote attackers to execute arbitrary code on affected installations of SiteScope.

An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51

CVE-2021-22514 9.8 - Critical - April 28, 2021

An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM.

Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15

CVE-2021-22505 9.8 - Critical - April 13, 2021

Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. The vulnerability could be exploited to escalate privileges and execute code under the account of the Operations Agent.

Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.

CVE-2021-22497 7.2 - High - April 12, 2021

Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.

authentification

Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin

CVE-2021-22513 6.5 - Medium - April 08, 2021

Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks.

AuthZ

Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin

CVE-2021-22511 6.5 - Medium - April 08, 2021

Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates.

Improper Certificate Validation

Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin

CVE-2021-22512 6.5 - Medium - April 08, 2021

Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks.

Session Riding

Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin

CVE-2021-22510 6.1 - Medium - April 08, 2021

Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions.

XSS

Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10

CVE-2021-22507 9.8 - Critical - April 08, 2021

Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access.

authentification

Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product

CVE-2021-22506 7.5 - High - March 26, 2021

Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.

Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0

CVE-2020-25840 6.1 - Medium - March 26, 2021

Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction.

XSS

Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3

CVE-2021-22496 7.5 - High - March 25, 2021

Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3. The vulnerability could cause information leakage.

authentification

Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS

CVE-2019-18942 4.8 - Medium - February 26, 2021

Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.

XSS

Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.

CVE-2019-18943 8 - High - February 26, 2021

Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.

XXE

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.

CVE-2019-18944 4.8 - Medium - February 26, 2021

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.

XSS

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.

CVE-2019-18945 8 - High - February 26, 2021

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.

CVE-2019-18946 4.8 - Medium - February 26, 2021

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.

Session Fixation

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to information disclosure.

CVE-2019-18947 3.5 - Low - February 26, 2021

Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to information disclosure.

Generation of Error Message Containing Sensitive Information

Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product

CVE-2021-22504 9.8 - Critical - February 12, 2021

Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product, affecting versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. The vulnerability could allow remote attackers to execute arbitrary code on an OBM server.

Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40

CVE-2021-22502 9.8 - Critical - February 08, 2021

Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.

Shell injection

Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51

CVE-2021-22500 6.5 - Medium - February 06, 2021

Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executing actions of the attacker's choosing.

Session Riding

Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product

CVE-2021-22499 4.8 - Medium - February 06, 2021

Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack.

XSS

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product

CVE-2021-22498 8.1 - High - January 19, 2021

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.

XXE

Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product

CVE-2020-25838 6.5 - Medium - December 11, 2020

Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.

Information Disclosure

NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability

CVE-2020-25839 9.8 - Critical - November 20, 2020

NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability. This vulnerability is fixed in NetIQ IdM 4.8 SP2 HF1.

SQL Injection

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1

CVE-2020-11851 9.8 - Critical - November 17, 2020

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.

Code Injection

Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1

CVE-2020-25832 5.4 - Medium - November 17, 2020

Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1. The vulnerability could be exploited to perform Reflected XSS attack.

XSS

Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7

CVE-2020-25833 4.8 - Medium - November 17, 2020

Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7. The vulnerability could be exploited to perform Persistent XSS attack.

XSS

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1

CVE-2020-11860 6.1 - Medium - November 17, 2020

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)

XSS

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1

CVE-2020-25834 5.4 - Medium - November 17, 2020

Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS).

XSS

Sensitive information disclosure vulnerability in Micro Focus Self Service Password Reset (SSPR) product

CVE-2020-25837 7.5 - High - November 05, 2020

Sensitive information disclosure vulnerability in Micro Focus Self Service Password Reset (SSPR) product. The vulnerability affects versions 4.4.0.0 to 4.4.0.6 and 4.5.0.1 and 4.5.0.2. In certain configurations the vulnerability could disclose sensitive information.

Information Disclosure

Arbitrary code execution vlnerability in Operation bridge Manager

CVE-2020-11854 9.8 - Critical - October 27, 2020

Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.

Use of Hard-coded Credentials

Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized)

CVE-2020-11858 7.8 - High - October 27, 2020

Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) versions: 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. The vulnerability could allow local attackers to execute code with escalated privileges.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.