Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege Abuse. This vulnerability could allow an authenticated user to obtain higher privileged user’s sensitive information via crafted payload. This issue affects Identity Manager Advanced Edition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.
An attacker with access to the system as an ordinary authenticated user can submit a crafted payload that allows reading insufficiently protected credentials belonging to users with higher privileges. The protection mechanism for stored or transmitted credentials is insufficient, enabling their interception and abuse (Privilege Abuse). The credentials obtained in this way can then be used to operate in the context of privileged accounts.
An attacker can intercept sensitive information (including credentials) of privileged accounts, which in practice can lead to privilege escalation and complete takeover of the identity management system and its associated resources.
Apply patches available from the manufacturer according to references (portal.microfocus.com, article KM000037455). Until the update is applied, it is recommended to restrict system access exclusively to trusted users and monitor account activity for unauthorized access to privileged resources.
OpenText Identity Manager Advanced Edition on Windows and Linux platforms (64-bit) in versions 4.8.0.0 through 4.8.7.0102 and version 4.9.0.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red