Lucene search

MicrofocusCVELIST:CVE-2017-9280

HistorySep 11, 2017 - 12:00 a.m.

CVE-2017-9280 Novell Identity Manager User Application get request url contains the session token.

2017-09-1100:00:00

CWE-598

microfocus

www.cve.org

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

55.2%

JSON

Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar.

CNA Affected

[
  {
    "product": "Identity Manager Applications",
    "vendor": "NetIQ",
    "versions": [
      {
        "lessThan": "4.5.6.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=1049143

download.novell.com/Download?buildid=K7lbPAGJyIk~

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

55.2%

JSON

Related for CVELIST:CVE-2017-9280