EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain path traversal, SQL injection, cross-site scripting (XSS), open redirect, and cross-site request forgery (CSRF) vulnerabilities.
EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain the following vulnerabilities in the xAdmin and xDashboard applications:
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-6177
An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim's browser, redirect users to other websites, and forge requests on behalf of the victim.
Apply an Update
EMC has released a security advisory addressing these issues.
Credit goes to Verizon Enterprise Solutions - Threat and Vulnerability Management (GCIS) For Discovery: Sertan Kolat and Omer CoskunFor Analysis and coordination: Thierry Zoller
This document was written by Todd Lewellen.