CVE-2016-0914

Yet another one “nothing fixed“:

ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability

EMC Identifier: ESA-2016-069

CVE Identifier: CVE-2016-0914

Severity Rating: CVSS v3 Base Score: 5.0 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected products:
* EMC Documentum WebTop 6.8 and 6.8.1
* EMC Documentum Administrator 7.0, 7.1, 7.2
* EMC Documentum TaskSpace 6.7 SP3
* EMC Documentum Capital Projects 1.9 and 1.10

Summary:
EMC Documentum WebTop and WebTop dependent products contain a fix for improper authorization vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
Remote authenticated WebTop and WebTop Client users may gain access to the IAPI/IDQL interface in WebTop without proper authorization. Malicious users could exploit this vulnerability to run IAPI/IDQL commands on the affected systems using their own privilege.

Resolution:
The following product releases contain resolution to this vulnerability:
EMC Documentum WebTop 6.8 Patch 13 and later
* EMC Documentum WebTop 6.8.1 patch 02 and later
* EMC Documentum Administrator 7.2 Patch 13 and later
* EMC Documentum Capital Projects 1.9 Patch 23 and later
* EMC Documentum Capital Projects 1.10 Patch 10 and later

PoC: https://gist.github.com/andreybpanfilov/785173c085d818c4fbf913075a5ad421

Demo:

One thought on “CVE-2016-0914

  1. Pingback: API Tester capabilities :) | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s