cnvd - cnvd-2015-05439

cnvd-2015-05439

Vulnerability from cnvd

Title: 多款EMC Documentum产品跨站请求伪造漏洞

Description:

EMC Documentum WebTop等都是美国易安信（EMC）公司的产品。EMC Documentum WebTop是一套允许用户在标准浏览器应用中访问Documentum存储库和内容管理服务的产品。Documentum Administrator是一个基于Web用来执行Documentum系统管理任务的开发工具。Documentum Digital Asset Manager（DAM）是一套数字资产管理软件。

多款EMC Documentum产品中存在跨站请求伪造漏洞。攻击者可利用该漏洞在用户登录的受影响应用程序上下文中执行未授权操作。

Severity: 中

Patch Name: 多款EMC Documentum产品跨站请求伪造漏洞的补丁

Patch Description:

多款EMC Documentum产品中存在跨站请求伪造漏洞。攻击者可利用该漏洞在用户登录的受影响应用程序上下文中执行未授权操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://emc.subscribenet.com/control/dctm/download?element=5950091

Reference: http://www.securityfocus.com/bid/76405

Impacted products

Name
['EMC Documentum Web Publishers 6.5 SP7', 'EMC Documentum Task Space 6.7SP2', 'EMC Documentum Webtop < 6.8', 'EMC Documentum Administrator < 7.1', 'EMC Documentum DAM < 6.5SP6']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "76405"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-4530"
    }
  },
  "description": "EMC Documentum WebTop\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC Documentum WebTop\u662f\u4e00\u5957\u5141\u8bb8\u7528\u6237\u5728\u6807\u51c6\u6d4f\u89c8\u5668\u5e94\u7528\u4e2d\u8bbf\u95eeDocumentum\u5b58\u50a8\u5e93\u548c\u5185\u5bb9\u7ba1\u7406\u670d\u52a1\u7684\u4ea7\u54c1\u3002Documentum Administrator\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7528\u6765\u6267\u884cDocumentum\u7cfb\u7edf\u7ba1\u7406\u4efb\u52a1\u7684\u5f00\u53d1\u5de5\u5177\u3002Documentum Digital Asset Manager\uff08DAM\uff09\u662f\u4e00\u5957\u6570\u5b57\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u6b3eEMC Documentum\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u767b\u5f55\u7684\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "discovererName": "EMC",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\nhttps://emc.subscribenet.com/control/dctm/download?element=5950091",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05439",
  "openTime": "2015-08-21",
  "patchDescription": "EMC Documentum WebTop\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC Documentum WebTop\u662f\u4e00\u5957\u5141\u8bb8\u7528\u6237\u5728\u6807\u51c6\u6d4f\u89c8\u5668\u5e94\u7528\u4e2d\u8bbf\u95eeDocumentum\u5b58\u50a8\u5e93\u548c\u5185\u5bb9\u7ba1\u7406\u670d\u52a1\u7684\u4ea7\u54c1\u3002Documentum Administrator\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7528\u6765\u6267\u884cDocumentum\u7cfb\u7edf\u7ba1\u7406\u4efb\u52a1\u7684\u5f00\u53d1\u5de5\u5177\u3002Documentum Digital Asset Manager\uff08DAM\uff09\u662f\u4e00\u5957\u6570\u5b57\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u6b3eEMC Documentum\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u767b\u5f55\u7684\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eEMC Documentum\u4ea7\u54c1\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "EMC Documentum Web Publishers 6.5 SP7",
      "EMC Documentum Task Space 6.7SP2",
      "EMC Documentum Webtop \u003c 6.8",
      "EMC Documentum Administrator \u003c 7.1",
      "EMC Documentum DAM  \u003c 6.5SP6"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/76405",
  "serverity": "\u4e2d",
  "submitTime": "2015-08-20",
  "title": "\u591a\u6b3eEMC Documentum\u4ea7\u54c1\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2015-4530 (GCVE-0-2015-4530)

Vulnerability from cvelistv5

Published

2015-08-20 10:00

Modified

2024-08-06 06:18

Severity ?

CWE

Summary

Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/76405	vdb-entry, x_refsource_BID
	http://seclists.org/bugtraq/2015/Aug/87	mailing-list, x_refsource_BUGTRAQ

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:18:11.447Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "76405",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/76405"
          },
          {
            "name": "20150817 ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://seclists.org/bugtraq/2015/Aug/87"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-08-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-25T19:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "76405",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/76405"
        },
        {
          "name": "20150817 ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://seclists.org/bugtraq/2015/Aug/87"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2015-4530",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "76405",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/76405"
            },
            {
              "name": "20150817 ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability",
              "refsource": "BUGTRAQ",
              "url": "http://seclists.org/bugtraq/2015/Aug/87"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2015-4530",
    "datePublished": "2015-08-20T10:00:00",
    "dateReserved": "2015-06-11T00:00:00",
    "dateUpdated": "2024-08-06T06:18:11.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted