CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 1CVE-2014-2512 – EMC Documentum eRoom Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-2512
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom 7.4.3, 7.4.4 before P19, and 7.4.4 SP1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en EMC Documentum eRoom 7.4.3, 7.4.4 anterior a P19, y 7.4.4 SP1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. EMC Documentum eRoom versions 7.4.3, 7.4.4, and 7.4.4 SP1 suffer from a stored cross site scripting vulnerability. • http://archives.neohapsis.com/archives/bugtraq/2014-06/0176.html http://packetstormsecurity.com/files/127309/EMC-Documentum-eRoom-Cross-Site-Scripting.html http://packetstormsecurity.com/files/127321/EMC-Documentum-eRoom-Stored-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jul/0 http://secunia.com/advisories/59419 http://www.securityfocus.com/archive/1/532608/100/0/threaded http://www.securitytracker.com/id/1030493 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-6078
https://notcve.org/view.php?id=CVE-2013-6078
The default configuration of EMC RSA BSAFE Toolkits and RSA Data Protection Manager (DPM) 20130918 uses the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging unspecified "security concerns," aka the ESA-2013-068 issue. NOTE: this issue has been SPLIT from CVE-2007-6755 because the vendor announcement did not state a specific technical rationale for a change in the algorithm; thus, CVE cannot reach a conclusion that a CVE-2007-6755 concern was the reason, or one of the reasons, for this change. La configuración por defecto de EMC RSA BSAFE Toolkits y RSA Data Protection Manager (DPM) 20130918 utiliza el algoritmo Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG), lo que facilita a atacantes dependientes de contexto anular mecanismos de protección criptográfica mediante el aprovechamiento de 'temas de seguridad' no especificados, también conocido como el problema ESA-2013-068. NOTA: este problema ha sido dividido (SPLIT) de CVE-2007-6755 porque la declaración del proveedor no ofreció un razonamiento técnico especifico para un cambio en el algoritmo; por lo tanto, CVE no puede llegar a una conclusión que un tema de CVE-2007-6755 fue la razón, o una de las razones, para este cambio. • http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655 http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect • CWE-310: Cryptographic Issues •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 0CVE-2014-2506
https://notcve.org/view.php?id=CVE-2014-2506
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors. EMC Documentum Content Server anterior a 6.7 SP1 P28, 6.7 SP2 anterior a P14, 7.0 anterior a P15 y 7.1 anterior a P05 permite a usuarios remotos autenticados obtener privilegios de super usuario para la creación de objetos de sistema, y evadir restricciones de acceso a datos y acciones de servidor, a través de vectores no especificados. • http://archives.neohapsis.com/archives/bugtraq/2014-06/0051.html http://packetstormsecurity.com/files/126960/EMC-Documentum-Content-Server-Escalation-Injection.html http://secunia.com/advisories/58954 http://www.securityfocus.com/archive/1/532596/100/0/threaded http://www.securityfocus.com/bid/67917 http://www.securitytracker.com/id/1030339 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2014-2508
https://notcve.org/view.php?id=CVE-2014-2508
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on database actions via vectors involving DQL hints. EMC Documentum Content Server anterior a 6.7 SP1 P28, 6.7 SP2 anterior a P14, 7.0 anterior a P15 y 7.1 anterior a P05 permite a usuarios remotos autenticados realizar ataques de inyección DQL (Documentum Query Language) y evadir las restricciones de acciones de base de datos a través de vectores que implican hints DQL. • http://archives.neohapsis.com/archives/bugtraq/2014-06/0051.html http://packetstormsecurity.com/files/126960/EMC-Documentum-Content-Server-Escalation-Injection.html http://secunia.com/advisories/58954 http://www.securityfocus.com/archive/1/532596/100/0/threaded http://www.securityfocus.com/bid/67918 http://www.securitytracker.com/id/1030339 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 0CVE-2014-2507
https://notcve.org/view.php?id=CVE-2014-2507
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods. EMC Documentum Content Server anterior a 6.7 SP1 P28, 6.7 SP2 anterior a P14, 7.0 anterior a P15 y 7.1 anterior a P05 permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres de shell en argumentos en métodos no especificados. • http://archives.neohapsis.com/archives/bugtraq/2014-06/0051.html http://packetstormsecurity.com/files/126960/EMC-Documentum-Content-Server-Escalation-Injection.html http://secunia.com/advisories/58954 http://www.securityfocus.com/archive/1/532596/100/0/threaded http://www.securityfocus.com/bid/67916 http://www.securitytracker.com/id/1030339 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •