search menu icon-carat-right cmu-wordmark

CERT Coordination Center

EMC Documentum Product Suite version 6.7 contains a DOM based cross-site scripting vulnerability

Vulnerability Note VU#466876

Original Release Date: 2013-11-14 | Last Revised: 2013-11-14

Overview

EMC Documentum Product Suite version 6.7 and possibly earlier versions contain a DOM based cross-site scripting vulnerability (CWE-79).

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EMC Documentum Product Suite version 6.7 and possibly earlier versions contain a DOM based cross-site scripting vulnerability. An attacker can inject arbitrary script via the vulnerable query string parameter __dmfUrl.

For example:
http://www.example.com/webtop/wdk/redirect.jsp?ReLoad=1372583728974&__dmfUrl=javascript:alert('xss')//

Impact

An unauthenticated remote attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

Apply an Update

EMC has released a security bulletin concerning this issue. Users are advised to visit the EMC support page to download patches to address this vulnerability.

Vendor Information

466876
 
Affected   Unknown   Unaffected

EMC Corporation

Notified:  August 15, 2013 Updated:  October 30, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal 4.5 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3281
Date Public: 2013-11-05
Date First Published: 2013-11-14
Date Last Updated: 2013-11-14 14:55 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.