Micro Focus Digital Transformation and Enterprise Software Modernization
Products by Micro Focus Sorted by Most Security Vulnerabilities since 2018
@microfocus Tweets

Wed Mar 22 14:21:28 +0000 2023

Tue Mar 21 14:45:01 +0000 2023

Tue Mar 21 14:11:01 +0000 2023

Tue Mar 21 12:43:00 +0000 2023

Mon Mar 20 18:32:01 +0000 2023
By the Year
In 2023 there have been 0 vulnerabilities in Micro Focus . Last year Micro Focus had 15 security vulnerabilities published. Right now, Micro Focus is on track to have less security vulnerabilities in 2023 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 15 | 6.15 |
2021 | 37 | 7.04 |
2020 | 28 | 6.99 |
2019 | 34 | 7.29 |
2018 | 37 | 7.68 |
It may take a day or so for new Micro Focus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Micro Focus Security Vulnerabilities
A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions
CVE-2022-38757
7.2 - High
- December 23, 2022
A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions. This vulnerability allows administrators with rights to perform actions (e.g., install a bundle) on a set of managed devices, to be able to exercise these rights on managed devices in the ZENworks zone but which are outside the scope of the administrator. This vulnerability does not result in the administrators gaining additional rights on the managed devices, either in the scope or outside the scope of the administrator.
Improper Privilege Management
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2
CVE-2022-38756
4.3 - Medium
- December 16, 2022
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.
Insertion of Sensitive Information into Log File
A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized
CVE-2022-38754
5.4 - Medium
- December 08, 2022
A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized. The vulnerability could be exploited by a malicious authenticated OBM (Operations Bridge Manager) user to run Java Scripts in the browser context of another OBM user. Please note: The vulnerability is only applicable if the Operations Bridge Manager capability is deployed. A potential vulnerability has been identified in Micro Focus Operations Bridge Manager (OBM). The vulnerability could be exploited by a malicious authenticated OBM user to run Java Scripts in the browser context of another OBM user. This issue affects: Micro Focus Micro Focus Operations Bridge Manager versions prior to 2022.11. Micro Focus Micro Focus Operations Bridge- Containerized versions prior to 2022.11.
XSS
This update resolves a multi-factor authentication bypass attack
CVE-2022-38753
6.3 - Medium
- November 28, 2022
This update resolves a multi-factor authentication bypass attack
authentification
A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1
CVE-2022-38755
5.3 - Medium
- November 21, 2022
A vulnerability has been identified in Micro Focus Filr in versions prior to 4.3.1.1. The vulnerability could be exploited to allow a remote unauthenticated attacker to enumerate valid users of the system. Remote unauthenticated user enumeration. This issue affects: Micro Focus Filr versions prior to 4.3.1.1.
Potential vulnerabilities have been identified in Micro Focus ArcSight Logger
CVE-2022-26331
6.1 - Medium
- August 31, 2022
Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.
XSS
Potential vulnerabilities have been identified in Micro Focus ArcSight Logger
CVE-2022-26330
7.5 - High
- August 31, 2022
Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.
Exposure of Resource to Wrong Sphere
A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability
CVE-2021-22531
6.1 - Medium
- May 12, 2022
A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability. This affects NetIQ Access Manager 4.5 and 5.0
XSS
Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2
CVE-2022-26326
6.1 - Medium
- May 02, 2022
Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2
Open Redirect
Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2
CVE-2022-26325
6.1 - Medium
- May 02, 2022
Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2
XSS
Unauthenticated remote code execution in Micro Focus Operations Bridge containerized, affecting versions 2021.05, 2021.08, and newer versions of Micro Focus Operations Bridge containerized if the deployment was upgraded
CVE-2021-38125
9.8 - Critical
- April 11, 2022
Unauthenticated remote code execution in Micro Focus Operations Bridge containerized, affecting versions 2021.05, 2021.08, and newer versions of Micro Focus Operations Bridge containerized if the deployment was upgraded from 2021.05 or 2021.08. The vulnerability could be exploited to unauthenticated remote code execution.
A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1
CVE-2021-38130
6.5 - Medium
- February 04, 2022
A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack.
Exposure of Resource to Wrong Sphere
Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21
CVE-2021-38129
3.3 - Low
- January 25, 2022
Escalation of privileges vulnerability in Micro Focus in Micro Focus Operations Agent, affecting versions 12.x up to and including 12.21. The vulnerability could be exploited by a non-privileged local user to access system monitoring data collected by Operations Agent.
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x
CVE-2021-38127
6.1 - Medium
- January 14, 2022
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).
XSS
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x
CVE-2021-38126
6.1 - Medium
- January 14, 2022
Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS).
XSS
Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5
CVE-2021-38124
9.8 - Critical
- September 28, 2021
Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution.
Command Injection
Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product
CVE-2021-22535
4.9 - Medium
- September 28, 2021
Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.
AuthZ
Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
CVE-2021-22528
5.4 - Medium
- September 13, 2021
Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
XSS
Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
CVE-2021-22527
7.5 - High
- September 13, 2021
Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
CVE-2021-22526
6.1 - Medium
- September 13, 2021
Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
Open Redirect
Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
CVE-2021-22524
4.9 - Medium
- September 13, 2021
Injection attack caused the denial of service vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4
aka Blind XPath Injection
Open Redirect vulnerability in Micro Focus Network Automation
CVE-2021-38123
6.1 - Medium
- September 07, 2021
Open Redirect vulnerability in Micro Focus Network Automation, affecting Network Automation versions 10.4x, 10.5x, 2018.05, 2018.11, 2019.05, 2020.02, 2020.08, 2020.11, 2021.05. The vulnerability could allow redirect users to malicious websites after authentication.
Open Redirect
This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1
CVE-2021-22525
5.5 - Medium
- September 02, 2021
This release addresses a potential information leakage vulnerability in NetIQ Access Manager versions prior to 5.0.1
A potential unauthorized privilege escalation vulnerability has been identified in Micro Focus Data Protector
CVE-2021-22517
8.8 - High
- August 05, 2021
A potential unauthorized privilege escalation vulnerability has been identified in Micro Focus Data Protector. The vulnerability affects versions 10.10, 10.20, 10.30, 10.40, 10.50, 10.60, 10.70, 10.80, 10.0 and 10.91. A privileged user may potentially misuse this feature and thus allow unintended and unauthorized access of data.
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management
CVE-2021-22521
6.7 - Medium
- July 30, 2021
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
AuthZ
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions
CVE-2021-22523
7.6 - High
- July 22, 2021
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions.
XXE
Reflected Cross-Site Scripting vulnerability in Micro Focus Verastream Host Integrator
CVE-2021-22522
7.1 - High
- July 22, 2021
Reflected Cross-Site Scripting vulnerability in Micro Focus Verastream Host Integrator, affecting version version 7.8 Update 1 and earlier versions. The vulnerability could allow disclosure of confidential data.
XSS
Multi-Factor Authentication (MFA) functionality can be bypassed
CVE-2021-22515
6.5 - Medium
- July 12, 2021
Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1.
AuthZ
Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0
CVE-2021-22516
7.5 - High
- June 04, 2021
Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0. The vulnerability could lead to sensitive information being in a log file.
Insertion of Sensitive Information into Log File
Execute arbitrary code vulnerability in Micro Focus SiteScope product
CVE-2021-22519
9.8 - Critical
- May 28, 2021
Execute arbitrary code vulnerability in Micro Focus SiteScope product, affecting versions 11.40,11.41 , 2018.05(11.50), 2018.08(11.51), 2018.11(11.60), 2019.02(11.70), 2019.05(11.80), 2019.08(11.90), 2019.11(11.91), 2020.05(11.92), 2020.10(11.93). The vulnerability could allow remote attackers to execute arbitrary code on affected installations of SiteScope.
An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51
CVE-2021-22514
9.8 - Critical
- April 28, 2021
An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM.
Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15
CVE-2021-22505
9.8 - Critical
- April 13, 2021
Escalation of privileges vulnerability in Micro Focus Operations Agent, affects versions 12.0x, 12.10, 12.11, 12.12, 12.14 and 12.15. The vulnerability could be exploited to escalate privileges and execute code under the account of the Operations Agent.
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
CVE-2021-22497
7.2 - High
- April 12, 2021
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
authentification
Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin
CVE-2021-22510
6.1 - Medium
- April 08, 2021
Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects all version 6.7 and earlier versions.
XSS
Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin
CVE-2021-22512
6.5 - Medium
- April 08, 2021
Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks.
Session Riding
Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin
CVE-2021-22511
6.5 - Medium
- April 08, 2021
Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates.
Improper Certificate Validation
Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin
CVE-2021-22513
6.5 - Medium
- April 08, 2021
Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without permission checks.
AuthZ
Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10
CVE-2021-22507
9.8 - Critical
- April 08, 2021
Authentication bypass vulnerability in Micro Focus Operations Bridge Manager affects versions 2019.05, 2019.11, 2020.05 and 2020.10. The vulnerability could allow remote attackers to bypass user authentication and get unauthorized access.
authentification
Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0
CVE-2020-25840
6.1 - Medium
- March 26, 2021
Cross-Site scripting vulnerability in Micro Focus Access Manager product, affects all version prior to version 5.0. The vulnerability could cause configuration destruction.
XSS
Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product
CVE-2021-22506
7.5 - High
- March 26, 2021
Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.
Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3
CVE-2021-22496
7.5 - High
- March 25, 2021
Authentication Bypass Vulnerability in Micro Focus Access Manager Product, affects all version prior to version 4.5.3.3. The vulnerability could cause information leakage.
authentification
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS
CVE-2019-18942
4.8 - Medium
- February 26, 2021
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.
XSS
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
CVE-2019-18943
8 - High
- February 26, 2021
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
XXE
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
CVE-2019-18944
4.8 - Medium
- February 26, 2021
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
XSS
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.
CVE-2019-18945
8 - High
- February 26, 2021
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.
CVE-2019-18946
4.8 - Medium
- February 26, 2021
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.
Session Fixation
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to information disclosure.
CVE-2019-18947
3.5 - Low
- February 26, 2021
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to information disclosure.
Generation of Error Message Containing Sensitive Information
Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product
CVE-2021-22504
9.8 - Critical
- February 12, 2021
Arbitrary code execution vulnerability on Micro Focus Operations Bridge Manager product, affecting versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10. The vulnerability could allow remote attackers to execute arbitrary code on an OBM server.
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40
CVE-2021-22502
9.8 - Critical
- February 08, 2021
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
Shell injection
Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51
CVE-2021-22500
6.5 - Medium
- February 06, 2021
Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executing actions of the attacker's choosing.
Session Riding
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product
CVE-2021-22499
4.8 - Medium
- February 06, 2021
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack.
XSS
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product
CVE-2021-22498
8.1 - High
- January 19, 2021
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.
XXE
Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product
CVE-2020-25838
6.5 - Medium
- December 11, 2020
Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.
Information Disclosure
NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability
CVE-2020-25839
9.8 - Critical
- November 20, 2020
NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability. This vulnerability is fixed in NetIQ IdM 4.8 SP2 HF1.
SQL Injection
Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1
CVE-2020-11851
9.8 - Critical
- November 17, 2020
Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.
Code Injection
Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1
CVE-2020-25832
5.4 - Medium
- November 17, 2020
Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1. The vulnerability could be exploited to perform Reflected XSS attack.
XSS
Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7
CVE-2020-25833
4.8 - Medium
- November 17, 2020
Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7. The vulnerability could be exploited to perform Persistent XSS attack.
XSS
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1
CVE-2020-11860
6.1 - Medium
- November 17, 2020
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)
XSS
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1
CVE-2020-25834
5.4 - Medium
- November 17, 2020
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS).
XSS
Sensitive information disclosure vulnerability in Micro Focus Self Service Password Reset (SSPR) product
CVE-2020-25837
7.5 - High
- November 05, 2020
Sensitive information disclosure vulnerability in Micro Focus Self Service Password Reset (SSPR) product. The vulnerability affects versions 4.4.0.0 to 4.4.0.6 and 4.5.0.1 and 4.5.0.2. In certain configurations the vulnerability could disclose sensitive information.
Information Disclosure
Arbitrary code execution vlnerability in Operation bridge Manager
CVE-2020-11854
9.8 - Critical
- October 27, 2020
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.
Use of Hard-coded Credentials
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized)
CVE-2020-11858
7.8 - High
- October 27, 2020
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) versions: 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. The vulnerability could allow local attackers to execute code with escalated privileges.
Arbitrary code execution vulnerability affecting multiple Micro Focus products
CVE-2020-11853
8.8 - High
- October 22, 2020
Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. 2.) Application Performance Management affecting versions : 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 3.) Data Center Automation affected version 2019.11 4.) Operations Bridge (containerized) affecting versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) Universal CMDB affecting version: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management affecting version 2020.05 7.) Service Management Automation affecting version 2020.5 and 2020.02. The vulnerability could allow to execute arbitrary code.
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier
CVE-2020-11857
9.8 - Critical
- September 22, 2020
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user
Use of Hard-coded Credentials
Denial of service vulnerability on Micro Focus ArcSight Management Center
CVE-2020-11848
7.5 - High
- August 19, 2020
Denial of service vulnerability on Micro Focus ArcSight Management Center. Affecting all versions prior to version 2.9.5. The vulnerability could cause the server to become unavailable, causing a denial of service.
DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG)
CVE-2020-11852
8.8 - High
- August 07, 2020
DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM system command.
Injection
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product
CVE-2020-11838
5.4 - Medium
- June 16, 2020
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.
XSS
Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product
CVE-2020-11840
4.3 - Medium
- June 16, 2020
Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure.
Information Disclosure
Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product
CVE-2020-11841
4.3 - Medium
- June 16, 2020
Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure.
Information Disclosure
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Logger product, affecting all version from 6.6.1 up to version 7.0.1
CVE-2020-11839
6.1 - Medium
- June 12, 2020
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Logger product, affecting all version from 6.6.1 up to version 7.0.1. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.
XSS
Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management
CVE-2020-11844
9.8 - Critical
- May 29, 2020
Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. - ArcSight Interset. version 6.0.0. - ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. - Service Management Automation (SMA). versions 2018.05 to 2020.02 - Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. - Network Operation Management. versions 2017.11 to 2019.11. - Data Center Automation Containerized. versions 2018.05 to 2019.11 - Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
AuthZ
Cross Site Scripting vulnerability in Micro Focus Service Manager product
CVE-2020-11845
6.1 - Medium
- May 19, 2020
Cross Site Scripting vulnerability in Micro Focus Service Manager product. Affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML.
XSS
Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer
CVE-2020-9524
5.4 - Medium
- May 18, 2020
Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. The vulnerability could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored XSS) or followed a malicious link (reflected XSS).
XSS
Information disclosure vulnerability in Micro Focus Verastream Host Integrator (VHI) product
CVE-2020-11842
7.5 - High
- May 04, 2020
Information disclosure vulnerability in Micro Focus Verastream Host Integrator (VHI) product, affecting versions earlier than 7.8 Update 1 (7.8.49 or 7.8.0.49). The vulnerability allows an unauthenticated attackers to view information they may not have been authorized to view.
Information Disclosure
Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server
CVE-2020-9523
8.8 - High
- April 17, 2020
Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server, affecting all version prior to 4.0 Patch Update 16, and version 5.0 Patch Update 6. The vulnerability could allow an attacker to transmit hashed credentials for the user account running the Micro Focus Directory Server (MFDS) to an arbitrary site, compromising that account's security.
Insufficiently Protected Credentials
An SQL injection vulnerability was discovered in Micro Focus Service Manager Automation (SMA)
CVE-2020-9521
8.8 - High
- March 26, 2020
An SQL injection vulnerability was discovered in Micro Focus Service Manager Automation (SMA), affecting versions 2019.08, 2019.05, 2019.02, 2018.08, 2018.05, 2018.02. The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection.
SQL Injection
A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7
CVE-2020-9520
5.4 - Medium
- March 25, 2020
A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. The vulnerability could allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target users browser.
XSS
Login filter can access configuration files vulnerability in Micro Focus Service Manager (Web Tier)
CVE-2020-9518
5.3 - Medium
- March 16, 2020
Login filter can access configuration files vulnerability in Micro Focus Service Manager (Web Tier), affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow unauthorized access to configuration data.
Information Disclosure
HTTP methods reveled in Web services vulnerability in Micro Focus Service manager (server)
CVE-2020-9519
5.3 - Medium
- March 16, 2020
HTTP methods reveled in Web services vulnerability in Micro Focus Service manager (server), affecting versions 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow exposure of configuration data.
Information Disclosure
There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60
CVE-2020-9517
5.4 - Medium
- March 09, 2020
There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks.
Open Redirect
Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight Logger affecting all product versions below version 7.0
CVE-2019-11657
8.8 - High
- December 17, 2019
Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight Logger affecting all product versions below version 7.0. The vulnerability could be exploited to perform CSRF attack.
Session Riding
Unauthorized file download vulnerability in all supported versions of Micro Focus AcuToWeb
CVE-2019-17087
7.5 - High
- December 11, 2019
Unauthorized file download vulnerability in all supported versions of Micro Focus AcuToWeb. The vulnerability could be exploited to enumerate and download files from the filesystem of the system running AcuToWeb, with the privileges of the account AcuToWeb is running under.
Information Disclosure
XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11
CVE-2019-17085
6.5 - Medium
- November 18, 2019
XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent.
XXE
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4
CVE-2019-11674
5.9 - Medium
- October 22, 2019
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
Improper Certificate Validation
Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server
CVE-2019-11651
6.1 - Medium
- October 02, 2019
Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and version 5.0 Patch Update 2. The vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests.
XSS
Allow changes to some table by non-SysAdmin in Micro Focus Service Manager product versions 9.30
CVE-2019-11661
8.3 - High
- September 18, 2019
Allow changes to some table by non-SysAdmin in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. This vulnerability could be exploited to allow unauthorized access and modification of data.
Class and method names in error message in Micro Focus Service Manager product versions 9.30
CVE-2019-11662
4.3 - Medium
- September 18, 2019
Class and method names in error message in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. This vulnerability could be exploited in some special cases to allow information exposure through an error message.
Generation of Error Message Containing Sensitive Information
Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30
CVE-2019-11663
6.5 - Medium
- September 18, 2019
Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure.
Insufficiently Protected Credentials
Clear text password in browser in Micro Focus Service Manager product versions 9.30
CVE-2019-11664
6.5 - Medium
- September 18, 2019
Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure.
Insufficiently Protected Credentials
Data exposure in Micro Focus Service Manager product versions 9.30
CVE-2019-11665
7.5 - High
- September 17, 2019
Data exposure in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure.
Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30
CVE-2019-11666
8.8 - High
- September 17, 2019
Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deserialization of untrusted data.
Marshaling, Unmarshaling
Unauthorized access to contact information in Micro Focus Service Manager, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62
CVE-2019-11667
7.5 - High
- September 17, 2019
Unauthorized access to contact information in Micro Focus Service Manager, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow unauthorized access to private data.
Privileges manipulation in Micro Focus Data Protector, versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40
CVE-2019-11660
7.8 - High
- September 13, 2019
Privileges manipulation in Micro Focus Data Protector, versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40. This vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.
Untrusted Path
HTTP cookie in Micro Focus Service manager, Versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62
CVE-2019-11668
7.5 - High
- September 10, 2019
HTTP cookie in Micro Focus Service manager, Versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Server, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Service 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.
Modifiable read only check box In Micro Focus Service Manager, versions 9.60p1, 9.61, 9.62
CVE-2019-11669
7.5 - High
- September 10, 2019
Modifiable read only check box In Micro Focus Service Manager, versions 9.60p1, 9.61, 9.62. This vulnerability could be exploited to allow unauthorized modification of data.
Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3
CVE-2019-11658
4.3 - Medium
- August 30, 2019
Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 and 9.3. This vulnerability when configured to use an Oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state.
Information Disclosure
Path traversal vulnerability in Micro Focus Verastream Host Integrator (VHI), versions 7.7 SP2 and earlier, The vulnerability
CVE-2019-11654
7.5 - High
- August 23, 2019
Path traversal vulnerability in Micro Focus Verastream Host Integrator (VHI), versions 7.7 SP2 and earlier, The vulnerability allows remote unauthenticated attackers to read arbitrary files.
Directory traversal
A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3
CVE-2019-11652
9.8 - Critical
- August 14, 2019
A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3, 4.3.0.6, and 4.2.0.6. Upgrade to Micro Focus Self Service Password Reset (SSPR) SSPR versions 4.4.0.3, 4.3.0.6, or 4.2.0.6 as appropriate.
Remote Access Control Bypass in Micro Focus Content Manager
CVE-2019-11653
5.4 - Medium
- August 07, 2019
Remote Access Control Bypass in Micro Focus Content Manager. versions 9.1, 9.2, 9.3. The vulnerability could be exploited to manipulate data stored during another users CheckIn request.