Accessing JCS web console is possible using the following URLs:
http://xx.xxx.xx.xx:20080/WEB-INF/web.xml
https://xx.xxx.xx.xx:20443/WEB-INF/web.xml
This is JCS vulnerability, because web.xml must be private, and the above pages should not be visible.
Release : 14.3 CP2
Component : IdentityMinder(Identity Manager)
New hotfix HF_DE509670 provided to address CVE-2004-2734 and CVE-2014-0053 vulnerabilities in Java Connector Server console.
The fix has to be installed on top of 14.3 CP2.
The fix is included in IM 14.4