Vulnerabilities > CVE-2014-5214 - Unspecified vulnerability in Microfocus Access Manager 4.0/4.0.1

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
microfocus
nessus

Summary

nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

Vulnerable Configurations

Part Description Count
Application
Microfocus
2

Nessus

NASL familyCGI abuses
NASL idNETIQ_ACCESS_MANAGER_4SP1HF3.NASL
descriptionThe remote host is running a version of NetIQ Access Manager 4.0 without service pack 1 hotfix 3. It is, therefore, affected by the following vulnerabilities : - An XML Entity Injection (XXE) flaw exists in the
last seen2020-06-01
modified2020-06-02
plugin id81405
published2015-02-18
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/81405
titleNetIQ Access Manager 4.0 < 4.0 SP1 Hotfix 3 Multiple Vulnerabilities

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/129658/SA-20141218-2.txt
idPACKETSTORM:129658
last seen2016-12-05
published2014-12-19
reporterWolfgang Ettlinger
sourcehttps://packetstormsecurity.com/files/129658/NetIQ-Access-Manager-4.0-SP1-XSS-CSRF-XXE-Injection-Disclosure.html
titleNetIQ Access Manager 4.0 SP1 XSS / CSRF / XXE Injection / Disclosure