Vulnerability Note VU#346982
EMC Document Sciences xPression contains multiple vulnerabilities
EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain path traversal, SQL injection, cross-site scripting (XSS), open redirect, and cross-site request forgery (CSRF) vulnerabilities.
EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain the following vulnerabilities in the xAdmin and xDashboard applications:
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-6177
An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim's browser, redirect users to other websites, and forge requests on behalf of the victim.
Apply an Update
EMC has released a security advisory addressing these issues.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|EMC Corporation||Affected||12 Jul 2013||27 Nov 2013|
CVSS Metrics (Learn More)
Credit goes to Verizon Enterprise Solutions - Threat and Vulnerability Management (GCIS)
For Discovery: Sertan Kolat and Omer Coskun
For Analysis and coordination: Thierry Zoller
This document was written by Todd Lewellen.
- CVE IDs: CVE-2013-6173 CVE-2013-6174 CVE-2013-6175 CVE-2013-6176 CVE-2013-6177
- Date Public: 20 Nov 2013
- Date First Published: 02 Dec 2013
- Date Last Updated: 02 Dec 2013
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.