Novell Service Desk vulnerabilities

CVE-2016-1593 [HIGH] CWE-22 CVE-2016-1593: Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk bef Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL.

CVE-2016-1594 [MEDIUM] CWE-200 CVE-2016-1594: Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attac Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action.

CVE-2016-1595 [MEDIUM] CWE-200 CVE-2016-1595: LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk b LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter.

CVE-2016-1596 [MEDIUM] CWE-79 CVE-2016-1596: Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 al Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (