Vulnerabilites related to microfocus - directory_server
CVE-2017-5187 (GCVE-0-2017-5187)
Vulnerability from cvelistv5
Published
2017-08-21 15:00
Modified
2024-09-16 22:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery () and Remote Code Execution (CWE-78)
Summary
A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Micro Focus | Micro Focus Enterprise Developer, Micro Focus Enterprise Server |
Version: 2.3 before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
"vendor": "Micro Focus",
"versions": [
{
"status": "affected",
"version": "2.3 before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9"
}
]
}
],
"datePublic": "2017-08-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CWE-352) and Remote Code Execution (CWE-78)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:51",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"DATE_PUBLIC": "2017-08-19T00:00:00",
"ID": "CVE-2017-5187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
"version": {
"version_data": [
{
"version_value": "2.3 before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9"
}
]
}
}
]
},
"vendor_name": "Micro Focus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CWE-352) and Remote Code Execution (CWE-78)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017",
"refsource": "MISC",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2017-5187",
"datePublished": "2017-08-21T15:00:00Z",
"dateReserved": "2017-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:41:17.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7421 (GCVE-0-2017-7421)
Vulnerability from cvelistv5
Published
2017-08-21 15:00
Modified
2024-09-16 22:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-Site Scripting ()
Summary
Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Micro Focus | Micro Focus Enterprise Developer, Micro Focus Enterprise Server |
Version: All versions before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
"vendor": "Micro Focus",
"versions": [
{
"status": "affected",
"version": "All versions before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9"
}
]
}
],
"datePublic": "2017-08-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-Site Scripting (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:42",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"DATE_PUBLIC": "2017-08-19T00:00:00",
"ID": "CVE-2017-7421",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
"version": {
"version_data": [
{
"version_value": "All versions before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9"
}
]
}
}
]
},
"vendor_name": "Micro Focus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017",
"refsource": "MISC",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2017-7421",
"datePublished": "2017-08-21T15:00:00Z",
"dateReserved": "2017-04-05T00:00:00",
"dateUpdated": "2024-09-16T22:34:58.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2017-08-21 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microfocus | directory_server | - | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_server | * | |
| microfocus | enterprise_server | 2.3 | |
| microfocus | enterprise_server | 2.3 | |
| microfocus | enterprise_server_monitor_and_control | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microfocus:directory_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3FA6D858-2EBE-4EDB-9178-1FAB470F4E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E13FE8F0-D7FF-4C77-A0D9-DBE13222B2E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "ADAA9BF3-9B1F-44AE-9D74-B8747979DBA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "4B18C3E3-494E-40A7-92F7-E7B95E9C094F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6A661E8-AFD3-4B51-9E69-AD709A969ECC",
"versionEndIncluding": "2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:2.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "E23C5342-8F45-4675-9401-EBC7287D65CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:2.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "6AD523A5-68BB-4397-945E-C95FD0E3229A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server_monitor_and_control:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C94B4907-6212-448D-A8F0-E5A8FD701F58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features."
},
{
"lang": "es",
"value": "Las vulnerabilidades de cross-Site Scripting (XSS) reflejado y stored en Directory Server (tambi\u00e9n llamado Enterprise Server Administration web UI) y ESMAC (tambi\u00e9n llamado Enterprise Server Monitor and Control) en Micro Focus Enterprise Developer y Enterprise Server 2.3 y anteriores, 2.3 Update 1 en versiones anteriores a Hotfix 8, y 2.3 Update 2 en versiones anteriores a Hotfix 9 permiten que atacantes remotos autenticados omitan los mecanismos de protecci\u00f3n (CWE-693) y otras caracter\u00edsticas de seguridad."
}
],
"id": "CVE-2017-7421",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-21T15:29:00.263",
"references": [
{
"source": "security@opentext.com",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"sourceIdentifier": "security@opentext.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@opentext.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-21 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microfocus | directory_server | - | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_developer | 2.3 | |
| microfocus | enterprise_server | * | |
| microfocus | enterprise_server | 2.3 | |
| microfocus | enterprise_server | 2.3 | |
| microfocus | enterprise_server_monitor_and_control | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microfocus:directory_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3FA6D858-2EBE-4EDB-9178-1FAB470F4E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E13FE8F0-D7FF-4C77-A0D9-DBE13222B2E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "ADAA9BF3-9B1F-44AE-9D74-B8747979DBA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_developer:2.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "4B18C3E3-494E-40A7-92F7-E7B95E9C094F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6A661E8-AFD3-4B51-9E69-AD709A969ECC",
"versionEndIncluding": "2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:2.3:update1:*:*:*:*:*:*",
"matchCriteriaId": "E23C5342-8F45-4675-9401-EBC7287D65CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server:2.3:update2:*:*:*:*:*:*",
"matchCriteriaId": "6AD523A5-68BB-4397-945E-C95FD0E3229A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microfocus:enterprise_server_monitor_and_control:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C94B4907-6212-448D-A8F0-E5A8FD701F58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Request Forgery (CWE-352) en Directory Server (tambi\u00e9n llamado Enterprise Server Administration web UI) en Micro Focus Enterprise Developer y Enterprise Server 2.3 y anteriores, 2.3 Update 1 en versiones anteriores a Hotfix 8, y 2.3 Update 2 en versiones anteriores a Hotfix 9 permite que atacantes remotos sin autenticar vean y alteren (CWE-275) la informaci\u00f3n de configuraci\u00f3n e inyecten comandos del sistema operativo (CWE-78) mediante peticiones falsificadas."
}
],
"id": "CVE-2017-5187",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-21T15:29:00.183",
"references": [
{
"source": "security@opentext.com",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017"
}
],
"sourceIdentifier": "security@opentext.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@opentext.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}