CVE-2014-5216

NetIQ Access Manager 4.x - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5216.

AI-analyzed exploit summary This is a detailed security advisory from SEC Consult Vulnerability Lab describing multiple high-risk vulnerabilities in NetIQ Access Manager 4.0 SP1, including XXE, XSS, CSRF, and information disclosure. It provides technical details, proof-of-concept URLs, and exploitation scenarios.

Description

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the error parameter to nidp/jsp/x509err.jsp, (3) the lang parameter to sslvpn/applet_agent.jsp, or (4) the secureLoggingServersA parameter to roma/system/cntl, a different issue than CVE-2014-9412.

Exploits (1)

exploitdb WRITEUP
webappsjsp
https://www.exploit-db.com/exploits/35594

This is a detailed security advisory from SEC Consult Vulnerability Lab describing multiple high-risk vulnerabilities in NetIQ Access Manager 4.0 SP1, including XXE, XSS, CSRF, and information disclosure. It provides technical details, proof-of-concept URLs, and exploitation scenarios.

Classification
Writeup 100%
Attack Type
Xss | Info Leak | Auth Bypass | Other
Complexity
Moderate
Reliability
Reliable
Target: NetIQ Access Manager 4.0 SP1
Auth required
Prerequisites: Authenticated administrative access for some exploits · Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0324
EPSS Percentile 86.7%

Details

CWE
CWE-79
Status published
Products (2)
microfocus/access_manager 4.0
microfocus/access_manager 4.0.1
Published Dec 23, 2014
Tracked Since Feb 18, 2026