CVE-2015-0551

04.07.2015, 14:59

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	3.5 UNKNOWN	NETWORK	MEDIUM	AV:N/AC:M/Au:S/C:N/I:P/A:N
dell	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
emc	documentum_administrator	6.7:sp1
emc	documentum_administrator	6.7:sp2
emc	documentum_administrator	7.0
emc	documentum_administrator	7.1
emc	documentum_administrator	7.2
emc	documentum_digital_asset_manager	6.5:sp6
emc	documentum_taskspace	6.7:sp1
emc	documentum_taskspace	6.7:sp2
emc	documentum_web_publisher	6.5:sp7
emc	documentum_webtop	6.7:sp1
emc	documentum_webtop	6.7:sp2
emc	documentum_webtop	6.8

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://seclists.org/bugtraq/2015/Jul/9

http://www.securitytracker.com/id/1032770

http://seclists.org/bugtraq/2015/Jul/9

http://www.securitytracker.com/id/1032770