LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter.
Novell Service Desk versions 7.1.0 and below suffer from code execution, information disclosure, cross site scripting, remote file upload, HQL injection, and traversal vulnerabilities.