Vulnerabilities > Opentext

DATE CVE VULNERABILITY TITLE RISK
2017-10-03 CVE-2017-14756 Cross-site Scripting vulnerability in Opentext Document Sciences Xpression 4.5
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Cross-Site Scripting: /xAdmin/html/Deployment (cat_id).
network
opentext CWE-79
4.3
2017-10-03 CVE-2017-14755 Cross-site Scripting vulnerability in Opentext Document Sciences Xpression 4.5
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Cross-Site Scripting: /xAdmin/html/XPressoDoc, parameter: categoryId.
network
opentext CWE-79
4.3
2017-10-03 CVE-2017-14754 Path Traversal vulnerability in Opentext Document Sciences Xpression
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Arbitrary File Read: /xAdmin/html/cm_datasource_group_xsd.jsp, parameter: xsd_datasource_schema_file filename.
network
low complexity
opentext CWE-22
6.8
2017-09-28 CVE-2017-14527 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
6.5
2017-09-28 CVE-2017-14526 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
6.5
2017-09-28 CVE-2017-14525 Open Redirect vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6.8.0160.0073 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.
network
opentext CWE-601
5.8
2017-09-28 CVE-2017-14524 Open Redirect vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.
network
opentext CWE-601
5.8
2017-05-10 CVE-2017-8892 Cross-site Scripting vulnerability in Opentext Tempo BOX 10.0.3
Cross-site scripting (XSS) vulnerability in OpenText Tempo Box 10.0.3 allows remote attackers to inject arbitrary web script or HTML persistently via the name of an uploaded image.
network
opentext CWE-79
4.3
2017-04-25 CVE-2017-7221 SQL Injection vulnerability in Opentext Documentum Content Server
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string.
network
low complexity
opentext CWE-89
6.5
2017-04-21 CVE-2017-7220 Improper Input Validation vulnerability in Opentext Documentum Content Server
OpenText Documentum Content Server allows superuser access via sys_obj_save or save of a crafted object, followed by an unauthorized "UPDATE dm_dbo.dm_user_s SET user_privileges=16" command, aka an "RPC save-commands" attack.
network
low complexity
opentext CWE-20
critical
9.0