CVE-2015-4530

Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://seclists.org/bugtraq/2015/Aug/87
http://www.securityfocus.com/bid/76405

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:emc:documentum_web_publisher::sp7::::::*
	cpe:2.3:a:emc:documentum_taskspace::sp2::::::*
	cpe:2.3:a:emc:documentum_webtop::::::::
	cpe:2.3:a:emc:documentum_digital_asset_manager::sp6::::::*
	cpe:2.3:a:emc:documentum_administrator::::::::

Information

Published : 2015-08-20 03:59

Updated : 2016-11-28 11:29

NVD link : CVE-2015-4530

Mitre link : CVE-2015-4530

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Advertisement

Products Affected

emc

documentum_taskspace
documentum_administrator
documentum_digital_asset_manager
documentum_web_publisher
documentum_webtop

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://seclists.org/bugtraq/2015/Aug/87", "name": "20150817 ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/bid/76405", "name": "76405", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-4530", "ASSIGNER": "secure@dell.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2015-08-20T10:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:emc:documentum_web_publisher:*:sp7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.5"}, {"cpe23Uri": "cpe:2.3:a:emc:documentum_taskspace:*:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.7"}, {"cpe23Uri": "cpe:2.3:a:emc:documentum_webtop:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.8"}, {"cpe23Uri": "cpe:2.3:a:emc:documentum_digital_asset_manager:*:sp6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.5"}, {"cpe23Uri": "cpe:2.3:a:emc:documentum_administrator:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "7.2"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-11-28T19:29Z"}