Vulnerabilities > Opentext

DATE CVE VULNERABILITY TITLE RISK
2017-09-28 CVE-2017-14527 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
6.5
2017-09-28 CVE-2017-14526 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
6.5
2017-09-28 CVE-2017-14525 Open Redirect vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6.8.0160.0073 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.
network
opentext CWE-601
5.8
2017-09-28 CVE-2017-14524 Open Redirect vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.
network
opentext CWE-601
5.8
2017-05-10 CVE-2017-8892 Cross-site Scripting vulnerability in Opentext Tempo BOX 10.0.3
Cross-site scripting (XSS) vulnerability in OpenText Tempo Box 10.0.3 allows remote attackers to inject arbitrary web script or HTML persistently via the name of an uploaded image.
network
opentext CWE-79
4.3
2017-04-25 CVE-2017-7221 SQL Injection vulnerability in Opentext Documentum Content Server
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string.
network
low complexity
opentext CWE-89
6.5
2017-04-21 CVE-2017-7220 Improper Input Validation vulnerability in Opentext Documentum Content Server
OpenText Documentum Content Server allows superuser access via sys_obj_save or save of a crafted object, followed by an unauthorized "UPDATE dm_dbo.dm_user_s SET user_privileges=16" command, aka an "RPC save-commands" attack.
network
low complexity
opentext CWE-20
critical
9.0
2017-02-22 CVE-2017-5586 Improper Input Validation vulnerability in Opentext Documentum D2
OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries.
network
low complexity
opentext CWE-20
7.5
2017-02-22 CVE-2017-5585 Injection vulnerability in Opentext Documentum Content Server 7.3
OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and return_top_results_row_based config option is false, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML or DDL commands via a crafted request.
network
low complexity
opentext CWE-74
6.5
2015-08-20 CVE-2015-6530 Cross-site Scripting vulnerability in Opentext Secure MFT 2013 and Secure MFT 2014
Cross-site scripting (XSS) vulnerability in OpenText Secure MFT 2013 before 2013 R3 P6 and 2014 before 2014 R2 P2 allows remote attackers to inject arbitrary web script or HTML via the querytext parameter to userdashboard.jsp.
network
opentext CWE-79
4.3