NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
NetIQ Access Manager 4.0 Admin Console
The issue exists when the admin user executes the above script after authenticating as the admin user first. The link cannot be replayed from an unauthenticated iManager session. The Access Manager administrator must make sure that they understand links being opened from unsolicited messages prior to clicking to avoid the problem.
As a best practice, the Administrator of an Access Management solution should avoid browsing sites in the same browser that is being used to manage the NAM setup. Although viewed as a lower priority vulnerability, the NAM team nevertheless plans to fix this in the next release of the product (NAM 4.1).
NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.