iManager - Multiple Reflected Cross-Site Scripting (CVE-2017-7427)

  • 7021423
  • 15-Sep-2017
  • 05-Mar-2018

Environment

iManager 2.7.7
iManager 3.0.1
Identity Manager iManager Plug-ins
Identity Manager 4.5
CVE-2017-7427

Situation

PEN tests were executed against the Identity Manager Plug-in, hosted on iManager 2.7.7.7. In certain scenarios, it was possible to execute arbitrary JavaScript code in the context of vulnerable application.

Note: Special thanks to Pawel.Batunek@ingservicespolska.pl for finding and reporting this issue.

Resolution

Fixed in the IDM 4.6.1 Identity Manager Plug-ins, dated July 10, 2017 or newer.

Status

Security Alert

Feedback service temporarily unavailable. For content questions or problems, please contact Support.