CVSS: 9.8EPSS: 8%CPEs: 7EXPL: 2CVE-2017-5586 – OpenText Documentum D2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-5586
OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries. OpenText Documentum D2 (anteriormente EMC Documentum D2) 4.x permite a atacantes remotos ejecutar comandos arbitrarios a través de un objeto Java serializado manipulado, relacionado con las librerías BeanShell (bsh) y Apache Commons Collections (ACC). OpenText Documentum D2 version 4.x contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialized data from untrusted sources, which leads to remote code execution. • https://www.exploit-db.com/exploits/41366 http://packetstormsecurity.com/files/141105/OpenText-Documentum-D2-4.x-Remote-Code-Execution.html http://www.securityfocus.com/bid/96216 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9872
https://notcve.org/view.php?id=CVE-2016-9872
EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has Reflected Cross-Site Scripting Vulnerabilities that could potentially be exploited by malicious users to compromise the affected system. EMC Documentum D2 versión 4.5 y EMC Documentum D2 versión 4.6 han reflejado vulnerabilidades de XSS que potencialmente podrían ser explotadas por usuarios malintencionados para comprometer el sistema afectado. • http://www.securityfocus.com/archive/1/540060/30/0/threaded http://www.securityfocus.com/bid/95824 http://www.securitytracker.com/id/1037733 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9873
https://notcve.org/view.php?id=CVE-2016-9873
EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has a DQL Injection Vulnerability that could potentially be exploited by malicious users to compromise the affected system. An authenticated low-privileged attacker could potentially exploit this vulnerability to access information, modify data or disrupt services by causing execution of arbitrary DQL commands on the application. EMC Documentum D2 versión 4.5 y EMC Documentum D2 versión 4.6 tiene una Vulnerabilidad de Inyección DQL que potencialmente podría ser explotada por usuarios malintencionados para comprometer el sistema afectado. Un atacante autenticado con pocos privilegios podría explotar potencialmente esta vulnerabilidad para acceder a información, modificar datos o interrumpir los servicios provocando la ejecución de comandos DQL arbitrarios en la aplicación. • http://www.securityfocus.com/archive/1/540060/30/0/threaded http://www.securityfocus.com/bid/95828 http://www.securitytracker.com/id/1037733 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-6644
https://notcve.org/view.php?id=CVE-2016-6644
EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows remote attackers to read arbitrary Docbase documents by leveraging knowledge of an r_object_id value. EMC Documentum D2 4.5 en versiones anteriores a patch 15 y 4.6 en versiones anteriores a patch 03 permite a atacantes remotos leer documentos Docbase arbitrarios aprovechando el conocimiento de un valor r_object_id. • http://seclists.org/bugtraq/2016/Sep/18 http://www.securityfocus.com/bid/92906 http://www.securitytracker.com/id/1036796 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0888
https://notcve.org/view.php?id=CVE-2016-0888
EMC Documentum D2 before 4.6 lacks intended ACLs for configuration objects, which allows remote authenticated users to modify objects via unspecified vectors. EMC Documentum D2 en versiones anteriores a 4.6 carece de ACLs destinadas a objetos de configuración, lo que permite a usuarios remotos autenticados modificar objetos a través de vectores no especificados. • http://seclists.org/bugtraq/2016/Apr/20 http://www.securitytracker.com/id/1035459 •