New Documentum Security Vulnerabilities Announced
November 5, 2013 5 Comments
On Monday, EMC announced it had identified and corrected two new security vulnerabilities in the Documentum family of products; both are of the Cross-Site Scripting variety.
The first involves eRoom 7.4.4 prior to P11. Here is the announcement: ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities.
The second vulnerability affects the 6.7 SP web client products. Specifically:
- Documentum Webtop prior to 6.7 SP2 P07
- Documentum WDK prior to 6.7 SP2 P07
- Documentum Taskspace prior to 6.7 SP2 P07
- Documentum Records Manager prior to 6.7 SP2 P07
- Documentum Web Publisher prior to 6.5 SP7
- Documentum Digital Asset Manager prior to 6.5 SP6
- Documentum Administrator prior to 6.7 SP2 P07
- Documentum Capital Projects prior to 1.8 P01
Here is the announcement: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability.
Please read the ESA’s for remedy details, but in most cases, applying the noted patches corrects the problems.
Unfortunately, it’s just a drop in the ocean. During last 6 months I have found about 20 XSRFs and 10 shell injections 😦
LikeLike
Thanks for your comment. Have you published your findings or alerted EMC? I would be very interested in seeing your research if you care to share it. I don’t have the time to engage in security testing of Documentum myself, and find it difficult to find good security assessments and resources on it.
LikeLike
https://community.emc.com/people/PanfilovAB/blog/tags#/?tags=security
LikeLike
That’s awesome, thanks for sharing!
LikeLike
Pingback: DFS, Content Server, and eRoom Vulnerabilities | dm_misc: Miscellaneous Documentum Information