CVE-2021-38134 – CVE-2021-38134 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2021-38134?

CVE-2021-38134 has a CVSS score of 6.1 (MEDIUM). CVE-2021-38134 is a cross-site scripting (XSS) vulnerability in OpenText iManager's URL for access component. Attackers can inject malicious scripts that execute in users' browsers when they visit crafted URLs. This affects organizations using OpenText iManager 3.2.5.0000 for identity and access management.

📋 TL;DR

CVE-2021-38134 is a cross-site scripting (XSS) vulnerability in OpenText iManager's URL for access component. Attackers can inject malicious scripts that execute in users' browsers when they visit crafted URLs. This affects organizations using OpenText iManager 3.2.5.0000 for identity and access management.

💻 Affected Systems

Products:

OpenText iManager

Versions: 3.2.5.0000

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the vulnerable URL component to be accessible and user interaction with crafted links.

📦 What is this software?

Imanager by Microfocus

View all CVEs affecting Imanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Attackers steal session cookies or credentials from authenticated users, gaining unauthorized access to the iManager administration interface.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity but require user interaction or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to iManager 3.2.6 or later

Vendor Advisory: https://www.netiq.com/documentation/imanager-32/imanager326_releasenotes/data/imanager326_releasenotes.html

Restart Required: Yes

Instructions:

1. Download iManager 3.2.6 or later from OpenText support portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart iManager services.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall rules or input validation to sanitize URL parameters

Content Security Policy

all

Implement CSP headers to restrict script execution sources

Add 'Content-Security-Policy' header with appropriate directives

🧯 If You Can't Patch

Implement strict input validation and output encoding for all URL parameters
Use web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check iManager version in administration interface or configuration files

Check Version:

Check iManager web interface or consult documentation for version command

Verify Fix Applied:

Verify version is 3.2.6 or later and test URL parameters for proper sanitization

📡 Detection & Monitoring

Log Indicators:

Unusual URL parameters with script tags or JavaScript code
Multiple failed access attempts to vulnerable endpoints

Network Indicators:

HTTP requests with suspicious parameters containing script tags or JavaScript

SIEM Query:

web.url:*script* OR web.url:*javascript* AND dest.app:"imanager"

📊 Metadata

CVE ID: CVE-2021-38134

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 22, 2024

Last Updated: April 10, 2025

🔗 References

https://www.netiq.com/documentation/imanager-32/imanager326_releasenotes/data/imanager326_releasenotes.html Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38134, you might also want to check these: