CVE-2017-9280

EPSS 0.2%
Veröffentlicht 02.03.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 03:35:44
Quelle security@opentext.com
Teams Watchlist Login
Unerledigt Login

Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netiq ≫ Identity Manager Version < 4.5.6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.428

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
security@opentext.com	4.3	2.8	1.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-598 Use of GET Request Method With Sensitive Query Strings

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

https://download.novell.com/Download?buildid=K7lbPAGJyIk~

https://bugzilla.suse.com/show_bug.cgi?id=1049143

https://nvd.nist.gov/vuln/detail/CVE-2017-9280

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-9280

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-9280

EUVD