CVE-2014-9412

NetIQ Access Manager 4.x < 4.1 - Cross-Site Scripting via Debug Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9412. PoCs published by SEC Consult.

AI-analyzed exploit summary This is a detailed security advisory from SEC Consult describing multiple vulnerabilities in NetIQ Access Manager 4.0 SP1, including XXE, XSS, CSRF, and information disclosure. It provides Proof of Concept (PoC) URLs for each vulnerability but does not include executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216.

Exploits (1)

exploitdb WRITEUP
by SEC Consult · textwebappsjsp
https://www.exploit-db.com/exploits/35594

This is a detailed security advisory from SEC Consult describing multiple vulnerabilities in NetIQ Access Manager 4.0 SP1, including XXE, XSS, CSRF, and information disclosure. It provides Proof of Concept (PoC) URLs for each vulnerability but does not include executable exploit code.

Classification
Writeup 100%
Attack Type
Xss | Info Leak | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: NetIQ Access Manager 4.0 SP1
Auth required
Prerequisites: Authenticated administrative access for some vulnerabilities · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

EPSS 0.0324
EPSS Percentile 86.6%

Details

CWE
CWE-79
Status published
Products (2)
microfocus/access_manager 4.0
microfocus/access_manager 4.0.1
Published Dec 23, 2014
Tracked Since Feb 18, 2026