SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   EMC Documentum Vendors:   EMC
EMC Documentum Web Development Kit Permits Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1030742
SecurityTracker URL:  http://securitytracker.com/id/1030742
CVE Reference:   CVE-2014-2518, CVE-2015-4530   (Links to External Site)
Updated:  Aug 17 2015
Original Entry Date:  Aug 19 2014
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in EMC Documentum. A remote user can conduct cross-site request forgery attacks.

The Web Development Kit does not properly validate user-supplied requests. A remote user can create a specially crafted URL that, when loaded by the target user, will take actions on the site acting as the target user.

The following product versions are affected:

EMC Documentum Webtop Versions prior 6.7SP1 P28
EMC Documentum Webtop Versions prior 6.7SP2 P15
EMC Documentum Administrator Versions prior 6.7 SP1 P28
EMC Documentum Administrator Versions prior 6.7 SP2 P15
EMC Documentum Administrator Versions prior 7.0 P15
EMC Documentum Administrator Versions prior 7.1 P06
EMC Documentum WDK Versions prior 6.7 SP1 P28
EMC Documentum WDK Versions prior 6.7 SP2 P15
EMC Documentum Taskspace versions prior 6.7 SP1 P28
EMC Documentum Taskspace versions prior 6.7 SP2 P15
EMC Documentum Records Manager versions prior 6.7 SP1 P28
EMC Documentum Records Manager versions prior 6.7 SP2 P15
EMC Documentum Web Publisher versions prior 6.5 SP7 P15
EMC Documentum Digital Asset Manager versions prior 6.5 SP6 P15
EMC Documentum Engineering Plant Facilities Management Solution, 1.7 SP1 supported on WebTop 6.7 SP1 version, prior P13
EMC Documentum Capital Projects, 1.8 supported on WebTop 6.7 SP1 version, prior P11
EMC Documentum Capital Projects, 1.8 supported on WebTop 6.7 SP2 version, prior P11
EMC Documentum Capital Projects, 1.9 supported on WebTop 6.7 SP2

Impact:   A remote user can take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (Documentum WebTop 6.8P01, Documentum Administrator 7.2).

[Editor's note: On August 17, 2015, the vendor released an updated fix (Advisory ESA-2015-130) because the original fix (Advisory ESA-2014-073) was incomplete. The incomplete fix has been assigned CVE-2015-4530.]

Vendor URL:  www.emc.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2003), Windows (2008)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC