WDK Vulnerabilities Prior To Webtop 6.8 | dm_misc: Miscellaneous Documentum Information
Home latin About Books Documentum Errors Content Server 6.6 Errors 6.6-dm_acl 6.6-dm_api 6.6-dm_assembly 6.6-dm_audittrail 6.6-dm_ccontent 6.6-dm_chartrans 6.6-dm_composite 6.6-dm_containment 6.6-dm_content 6.6-dm_crypto 6.6-dm_data_dict 6.6-dm_data_partition 6.6-dm_dcnfg 6.6-dm_directory 6.6-dm_docbroker 6.6-dm_document 6.6-dm_dump 6.6-dm_event 6.6-dm_exception 6.6-dm_expression 6.6-dm_filter 6.6-dm_folder 6.6-dm_foreign 6.6-dm_format 6.6-dm_ft_index 6.6-dm_fulltext 6.6-dm_group 6.6-dm_iditr 6.6-dm_inbox 6.6-dm_info 6.6-dm_internal 6.6-dm_load 6.6-dm_locale 6.6-dm_location 6.6-dm_method 6.6-dm_migrate_light 6.6-dm_mtpt 6.6-dm_note 6.6-dm_object 6.6-dm_obj_mgr latin 6.6-dm_outputdevice 6.6-dm_platform 6.6-dm_policy 6.6-dm_query 6.6-dm_query2 6.6-dm_recovery 6.6-dm_relation 6.6-dm_reltype 6.6-dm_router latin 6.6-dm_scnfg 6.6-dm_server 6.6-dm_session 6.6-dm_sign 6.6-dm_storage 6.6-dm_sysobject 6.6-dm_type_mgr 6.6-dm_upgrade_mgr 6.6-dm_user 6.6-dm_verity_coll 6.6-dm_version 6.6-dm_workflow 6.6-dm_xfrm Content Server 7.0 Errors 7.0-dm_acl 7.0-dm_api 7.0-dm_assembly 7.0-dm_audittrail 7.0-dm_cabinet 7.0-dm_ccontent 7.0-dm_chartrans 7.0-dm_composite 7.0-dm_containment 7.0-dm_content 7.0-dm_crypto 7.0-dm_data_dict 7.0-dm_data_partition 7.0-dm_dcnfg 7.0-dm_directory 7.0-dm_docbroker 7.0-dm_document 7.0-dm_dump 7.0-dm_event 7.0-dm_exception 7.0-dm_expression 7.0-dm_filter latin 7.0-dm_folder 7.0-dm_foreign 7.0-dm_format latin 7.0-dm_ft_index 7.0-dm_fulltext 7.0-dm_group 7.0-dm_iditr 7.0-dm_inbox 7.0-dm_info 7.0-dm_internal 7.0-dm_license 7.0-dm_load 7.0-dm_locale 7.0-dm_location 7.0-dm_method 7.0-dm_migrate_light 7.0-dm_mq 7.0-dm_mtpt 7.0-dm_note 7.0-dm_object 7.0-dm_obj_mgr 7.0-dm_outputdevice 7.0-dm_platform 7.0-dm_policy 7.0-dm_query 7.0-dm_query2 7.0-dm_recovery 7.0-dm_relation 7.0-dm_reltype 7.0-dm_router 7.0-dm_scnfg 7.0-dm_server latin 7.0-dm_session 7.0-dm_sign 7.0-dm_storage 7.0-dm_sysobject 7.0-dm_type_mgr 7.0-dm_upgrade_mgr 7.0-dm_user 7.0-dm_verity_coll 7.0-dm_version 7.0-dm_workflow 7.0-dm_xfrm Documentum DFC 6.6 Errors Publications Tools
There latin is just enough time left in 2014 to slip in one more ESA: ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities . As the title implies, this ESA addresses vulnerabilities that exist in ALL VERSIONS of WDK-based clients prior to Webtop 6.8 (by release date). These clients include: Webtop 6.7 SP2 and earlier; Documentum Administrator 7.1 and earlier; Records latin Client 6.7 SP2 and earlier; Digital Assets Manager 6.5 SP6 and earlier; Web Publishers 6.5 SP7 and earlier; Task Space 6.7 SP2 and earlier; Engineering Plant Facilities Management Solution for Documentum 1.7 SP1 and earlier; Capital Projects 1.9 and earlier.
The vulnerabilities include: Cross-Site Scripting – EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user. Cross-Site Request Forgery – EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated latin users of the application to click on specially crafted latin links that are embedded within an email, web page, or other source and perform Docbase operations with that user’s privileges. URL Redirection – EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary latin web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter. Frame Injection – EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially latin exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information. Parameter Generated with Insufficient Randomness – EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially latin exploit this vulnerability by predicting the parameter, helping latin the attacker to launch phishing attacks.
The only available resolution at the time of this writing is to upgrade Webtop to v6.8, it contains WDK 6.8 that resolves latin these issues. However, Webtop 6.8 is the only application tested and certified to run with WDK 6.8, so until the other WDK-based clients are tested and certified, they remain vulnerable. EMC will co
Home latin About Books Documentum Errors Content Server 6.6 Errors 6.6-dm_acl 6.6-dm_api 6.6-dm_assembly 6.6-dm_audittrail 6.6-dm_ccontent 6.6-dm_chartrans 6.6-dm_composite 6.6-dm_containment 6.6-dm_content 6.6-dm_crypto 6.6-dm_data_dict 6.6-dm_data_partition 6.6-dm_dcnfg 6.6-dm_directory 6.6-dm_docbroker 6.6-dm_document 6.6-dm_dump 6.6-dm_event 6.6-dm_exception 6.6-dm_expression 6.6-dm_filter 6.6-dm_folder 6.6-dm_foreign 6.6-dm_format 6.6-dm_ft_index 6.6-dm_fulltext 6.6-dm_group 6.6-dm_iditr 6.6-dm_inbox 6.6-dm_info 6.6-dm_internal 6.6-dm_load 6.6-dm_locale 6.6-dm_location 6.6-dm_method 6.6-dm_migrate_light 6.6-dm_mtpt 6.6-dm_note 6.6-dm_object 6.6-dm_obj_mgr latin 6.6-dm_outputdevice 6.6-dm_platform 6.6-dm_policy 6.6-dm_query 6.6-dm_query2 6.6-dm_recovery 6.6-dm_relation 6.6-dm_reltype 6.6-dm_router latin 6.6-dm_scnfg 6.6-dm_server 6.6-dm_session 6.6-dm_sign 6.6-dm_storage 6.6-dm_sysobject 6.6-dm_type_mgr 6.6-dm_upgrade_mgr 6.6-dm_user 6.6-dm_verity_coll 6.6-dm_version 6.6-dm_workflow 6.6-dm_xfrm Content Server 7.0 Errors 7.0-dm_acl 7.0-dm_api 7.0-dm_assembly 7.0-dm_audittrail 7.0-dm_cabinet 7.0-dm_ccontent 7.0-dm_chartrans 7.0-dm_composite 7.0-dm_containment 7.0-dm_content 7.0-dm_crypto 7.0-dm_data_dict 7.0-dm_data_partition 7.0-dm_dcnfg 7.0-dm_directory 7.0-dm_docbroker 7.0-dm_document 7.0-dm_dump 7.0-dm_event 7.0-dm_exception 7.0-dm_expression 7.0-dm_filter latin 7.0-dm_folder 7.0-dm_foreign 7.0-dm_format latin 7.0-dm_ft_index 7.0-dm_fulltext 7.0-dm_group 7.0-dm_iditr 7.0-dm_inbox 7.0-dm_info 7.0-dm_internal 7.0-dm_license 7.0-dm_load 7.0-dm_locale 7.0-dm_location 7.0-dm_method 7.0-dm_migrate_light 7.0-dm_mq 7.0-dm_mtpt 7.0-dm_note 7.0-dm_object 7.0-dm_obj_mgr 7.0-dm_outputdevice 7.0-dm_platform 7.0-dm_policy 7.0-dm_query 7.0-dm_query2 7.0-dm_recovery 7.0-dm_relation 7.0-dm_reltype 7.0-dm_router 7.0-dm_scnfg 7.0-dm_server latin 7.0-dm_session 7.0-dm_sign 7.0-dm_storage 7.0-dm_sysobject 7.0-dm_type_mgr 7.0-dm_upgrade_mgr 7.0-dm_user 7.0-dm_verity_coll 7.0-dm_version 7.0-dm_workflow 7.0-dm_xfrm Documentum DFC 6.6 Errors Publications Tools
There latin is just enough time left in 2014 to slip in one more ESA: ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities . As the title implies, this ESA addresses vulnerabilities that exist in ALL VERSIONS of WDK-based clients prior to Webtop 6.8 (by release date). These clients include: Webtop 6.7 SP2 and earlier; Documentum Administrator 7.1 and earlier; Records latin Client 6.7 SP2 and earlier; Digital Assets Manager 6.5 SP6 and earlier; Web Publishers 6.5 SP7 and earlier; Task Space 6.7 SP2 and earlier; Engineering Plant Facilities Management Solution for Documentum 1.7 SP1 and earlier; Capital Projects 1.9 and earlier.
The vulnerabilities include: Cross-Site Scripting – EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user. Cross-Site Request Forgery – EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated latin users of the application to click on specially crafted latin links that are embedded within an email, web page, or other source and perform Docbase operations with that user’s privileges. URL Redirection – EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary latin web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter. Frame Injection – EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially latin exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information. Parameter Generated with Insufficient Randomness – EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially latin exploit this vulnerability by predicting the parameter, helping latin the attacker to launch phishing attacks.
The only available resolution at the time of this writing is to upgrade Webtop to v6.8, it contains WDK 6.8 that resolves latin these issues. However, Webtop 6.8 is the only application tested and certified to run with WDK 6.8, so until the other WDK-based clients are tested and certified, they remain vulnerable. EMC will co
No comments:
Post a Comment