CVE-2014-9412

Name of the Vulnerable Software and Affected Versions NetIQ Access Manager versions prior to 4.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This can be achieved via an arbitrary parameter to "roma/jsp/debug/debug.jsp" or an arbitrary parameter in a debug.DumpAll action to "nps/servlet/webacc".

Recommendations For versions prior to 4.1, update to version 4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "roma/jsp/debug/debug.jsp" and "nps/servlet/webacc" endpoints until a patch is available. Avoid using arbitrary parameters in the debug.DumpAll action until the issue is resolved.