CVE-2022-25626

An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.broadcom.com/external/content/SecurityAdvisories/0/21136	Release Notes Vendor Advisory
https://support.broadcom.com/external/content/SecurityAdvisories/0/21136	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.3:::::::*
	cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.4:::::::*

History

18 Apr 2025, 14:15

Type	Values Removed	Values Added
CWE		CWE-425

21 Nov 2024, 06:52

Type	Values Removed	Values Added
References	~~() https://support.broadcom.com/external/content/SecurityAdvisories/0/21136 - Release Notes, Vendor Advisory~~	() https://support.broadcom.com/external/content/SecurityAdvisories/0/21136 - Release Notes, Vendor Advisory

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-287~~	NVD-CWE-noinfo

21 Dec 2022, 16:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~(MISC) https://support.broadcom.com/external/content/SecurityAdvisories/0/21136 -~~	(MISC) https://support.broadcom.com/external/content/SecurityAdvisories/0/21136 - Release Notes, Vendor Advisory
CPE		cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.3:::::::* cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.4:::::::*
CWE		CWE-287

16 Dec 2022, 17:11

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-12-16 16:15

Updated : 2025-04-18 14:15

NVD link : CVE-2022-25626

Mitre link : CVE-2022-25626

CVE.ORG link : CVE-2022-25626

JSON object : View

Products Affected

broadcom

symantec_identity_governance_and_administration

CWE

NVD-CWE-noinfo CWE-425

Direct Request ('Forced Browsing')

{"id": "CVE-2022-25626", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-12-16T16:15:21.553", "references": [{"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136", "tags": ["Release Notes", "Vendor Advisory"], "source": "secure@symantec.com"}, {"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated user can access Identity Manager\u2019s management console specific page URLs. However, the system doesn\u2019t allow the user to carry out server side tasks without a valid web session."}, {"lang": "es", "value": "Un usuario no autenticado puede acceder a las URL de p\u00e1ginas espec\u00edficas de la consola de administraci\u00f3n de Identity Manager. Sin embargo, el sistema no permite al usuario realizar tareas del lado del servidor sin una sesi\u00f3n web v\u00e1lida."}], "lastModified": "2025-04-18T14:15:17.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F02FD4DC-D8DF-4665-A0FC-0B62FA66939E"}, {"criteria": "cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5715C42F-8629-41C6-96E9-CC6DA8E3ABCE"}], "operator": "OR"}]}], "sourceIdentifier": "secure@symantec.com"}