CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 4CVE-2014-3138 – Xerox DocuShare - SQL Injection
https://notcve.org/view.php?id=CVE-2014-3138
SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information. Una vulnerabilidad de inyección SQL en DocuShare anterior a versión 6.53 Parche 6 Hotfix 2, versión 6.6.1 Update 1 y anterior a Hotfix 24, y versión 6.6.1 Update 2 y anteriores a Hotfix 3 de Xerox, permite a usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio del PATH_INFO en /docushare/dsweb/ResultBackgroundJobMultiple/. NOTA: algunos de estos datos se obtienen de la información de terceros. • https://www.exploit-db.com/exploits/32886 http://packetstormsecurity.com/files/126171/Xerox-DocuShare-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Apr/205 http://secunia.com/advisories/57996 http://www.exploit-db.com/exploits/32886 http://www.osvdb.org/105972 http://www.securityfocus.com/bid/66922 http://www.xerox.com/download/security/security-bulletin/a72cd-4f7a54ce14460/cert_XRX14-003_V1.0.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/92548 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 1%CPEs: 7EXPL: 3CVE-2008-5225 – Xerox DocuShare 6 - docushare/dsweb/ServicesLib/Group URI Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-5225
Multiple cross-site scripting (XSS) vulnerabilities in Xerox DocuShare 6 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) SearchResults/ and (2) Services/ in dsdn/dsweb/, and (3) the default URI under unspecified docushare/dsweb/ServicesLib/Group-#/ directories. Múltiples vulnerabilidades de secuencias de ejecución de comandos en sitios cruzados en Xerox DocuShare v6 y anteriores que permite a atacantes remotos inyectar secuencias de comandos web o codigo HTML a traves de PATH_INFO a la URL por defecto a traves de (1) SearchResults/ y (2) Services/ en dsdn/dsweb/, y (3) la URL por defecto a traves de directorios inespecificos de docushare/dsweb/ServicesLib/Group-#/. • https://www.exploit-db.com/exploits/31864 https://www.exploit-db.com/exploits/31862 https://www.exploit-db.com/exploits/31863 http://secunia.com/advisories/30426 http://securityreason.com/securityalert/4638 http://www.securityfocus.com/archive/1/492766/100/0/threaded http://www.securityfocus.com/archive/1/492960/100/0/threaded http://www.securityfocus.com/bid/29430 http://www.securitytracker.com/id?1020147 http://www.vupen.com/english/advisories/2008/1701/references https:& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •