Netiq

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

CVE-2023-24468 9.8 - Critical - March 15, 2023

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6

CVE-2022-38758 6.1 - Medium - January 26, 2023

Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6 allows attacker to execute malicious scripts on the user's browser. This issue affects: Micro Focus NetIQ iManager NetIQ iManager versions prior to 3.2.6 on ALL.

XSS

File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5

CVE-2022-26329 5.3 - Medium - January 26, 2023

File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus NetIQ Identity Manager NetIQ Identity Manager versions prior to 4.8.5 on ALL.

Exposure of Resource to Wrong Sphere

An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4

CVE-2019-11648 7.5 - High - June 24, 2019

An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information.

Information Disclosure

Unvalidated redirect vulnerability in in NetIQ eDirectory before 9.1.1 HF1.

CVE-2018-7692 6.1 - Medium - August 09, 2018

Unvalidated redirect vulnerability in in NetIQ eDirectory before 9.1.1 HF1.

Open Redirect

Information leakage vulnerability in NetIQ eDirectory before 9.1.1 HF1 due to shared memory usage.

CVE-2018-7686 7.5 - High - August 09, 2018

Information leakage vulnerability in NetIQ eDirectory before 9.1.1 HF1 due to shared memory usage.

Information Disclosure

NetIQ iManager 3.1.1 addresses potential XSS vulnerabilities.

CVE-2018-12462 6.1 - Medium - July 10, 2018

NetIQ iManager 3.1.1 addresses potential XSS vulnerabilities.

XSS

Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation.

CVE-2018-12461 7.5 - High - July 10, 2018

Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation.

Improper Certificate Validation

The NetIQ Identity Manager user console

CVE-2018-7674 6.1 - Medium - March 28, 2018

The NetIQ Identity Manager user console, in versions prior to 4.7, is susceptible to URL redirection.

Open Redirect

The NetIQ Identity Manager

CVE-2018-7676 5.9 - Medium - March 28, 2018

The NetIQ Identity Manager, in versions prior to 4.7, userapp with log / trace enabled may leak sensitive information.

Information Disclosure

NetIQ Identity Manager driver, in versions prior to 4.7

CVE-2018-1348 7.4 - High - March 26, 2018

NetIQ Identity Manager driver, in versions prior to 4.7, allows for an SSL handshake renegotiation which could result in a MITM attack.

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details

CVE-2018-1349 5.3 - Medium - March 26, 2018

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system or configuration enumeration.

Insertion of Sensitive Information into Log File

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details

CVE-2018-1350 5.3 - Medium - March 26, 2018

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system enumeration.

Insertion of Sensitive Information into Log File

The NetIQ Identity Manager communication channel

CVE-2018-7673 7.5 - High - March 26, 2018

The NetIQ Identity Manager communication channel, in versions prior to 4.7, is susceptible to a DoS attack.

Addresses denial of service attack to eDirectory versions prior to 9.1.

CVE-2018-1346 7.5 - High - March 21, 2018

Addresses denial of service attack to eDirectory versions prior to 9.1.

Addresses potential communication downgrade attack in NetIQ iManager versions prior to 3.1

CVE-2018-1344 8.6 - High - March 21, 2018

Addresses potential communication downgrade attack in NetIQ iManager versions prior to 3.1

The administrative web interface in NetIQ iManager

CVE-2018-1347 6.1 - Medium - March 21, 2018

The administrative web interface in NetIQ iManager, versions prior to 3.1, are vulnerable to reflected cross site scripting.

XSS

NetIQ iManager

CVE-2018-1345 8.8 - High - March 21, 2018

NetIQ iManager, versions prior to 3.1, under some circumstances could be susceptible to an elevation of privilege attack.

A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4.

CVE-2018-7678 4.8 - Medium - March 14, 2018

A cross site scripting vulnerability exist in the Administration Console in NetIQ Access Manager (NAM) 4.3 and 4.4.

XSS

A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.

CVE-2018-7677 8.8 - High - March 14, 2018

A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.

Session Riding

In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the Sentinel Web Interface

CVE-2018-7675 5.3 - Medium - March 07, 2018

In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the Sentinel Web Interface. After performing some tasks within Sentinel the user does not log out but does go idle for a period of time. This in turn causes the interface to timeout so that it requires the user to re-authenticate. If another user is passing by and decides to login, their credentials are accepted. While The user does not inherit any of the other users privileges, they are able to view the previous screen. In this case it is possible that the user can see another users events or configuration information for whatever view is currently showing.

Information Disclosure

PAM exposure enabling unauthenticated access to remote host

CVE-2018-1343 9.8 - Critical - March 06, 2018

PAM exposure enabling unauthenticated access to remote host

authentification

NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when "ebaclient" was used

CVE-2017-9285 9.8 - Critical - March 02, 2018

NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when "ebaclient" was used, allowing unpermitted access to eDirectory services.

authentification

The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Patch 10 Hotfix 1 could be abused to upload JSP code

CVE-2017-7429 8.8 - High - March 02, 2018

The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Patch 10 Hotfix 1 could be abused to upload JSP code which could be used by authenticated attackers to execute JSP applets on the iManager server.

Improper Certificate Validation

A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them

CVE-2018-1342 9.8 - Critical - January 26, 2018

A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially execute them. This impacts NetIQ Access Manager versions 4.3 and 4.4 as well as the Administrative console.

Unrestricted File Upload

Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server

CVE-2005-1244 - April 20, 2005

Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable.