"Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution"

Yahoo’s vulnerability research team has recently identified nearly a dozen flaws in OpenText’s NetIQ iManager product, including some that could have been chained for unauthenticated remote code execution.  The research team discovered 11 vulnerabilities that could have been exploited individually for cross-site request forgery (CSRF), server-side request forgery (SSRF), remote code execution (RCE), arbitrary file upload, authentication bypass, file disclosure, and privilege escalation.  It was noted that patches for these vulnerabilities were released, and updates were rolled out in April.  Of the 11 vulnerabilities they found, the researchers described four in detail: CVE-2024-3487, an authentication bypass flaw, CVE-2024-3483, a command injection flaw, CVE-2024-3488, an arbitrary file upload flaw, and CVE-2024-4429, a CSRF validation bypass flaw.  The researchers noted that chaining these vulnerabilities could have allowed an attacker to compromise iManager remotely from the internet by getting a user connected to their corporate network to access a malicious website. 
 

SecurityWeek reports: "Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution"