Sun Java System Identity Manager Multiple Vulnerabilities

Multiple vulnerabilities have been identified in Sun Java System Identity Manager, which could be exploited by attackers to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a vulnerable system.

1. An unspecified error can lead to unencrypted communication between clients and the IDM server.

2. An unspecified error can be exploited to enumerate valid user accounts.

3. An unspecified error can be exploited to change another user's password.

4. An unspecified error can be exploited to perform certain actions that are expected to be restricted.

Successful exploitation requires a valid user account.

5. Unspecified input is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6. An unspecified error can be exploited to bypass certain security restrictions, which potentially allows cross-site scripting and cross-site request forgery attacks.

Successful exploitation requires a valid user account.

7. An unspecified error can be exploited to execute arbitrary commands on Unix / Linux based resource adapters.

8. An unspecified error can be exploited to modify IDM system configuration data.

9. An unspecified error can be exploited by IDM users to gain escalated privileges or to execute arbitrary code on the IDM server machine.

Successful exploitation may require a valid user account.

The vulnerabilities are reported in Sun Java System Identity Manager 7.0, 7.1, 7.1.1, and 8.0.

NOTE: Version 8.1 is reportedly not affected.