MidnightBSD

Advisories for emc

CVE-2001-0910 HIGH

Legato Networker before 6.1 allows remote attackers to bypass access restrictions and gain privileges on the Networker interface by spoofing the admin server name and IP address and connecting to Networker from an IP address whose hostname can not be determined by a DNS reverse lookup.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc networker 6.0
CVE-2002-0113 MEDIUM

EMC NetWorker (formerly Legato NetWorker) before 7.0 stores log files in the /nsr/logs/ directory with world-readable permissions, which allows local users to read sensitive information and possibly gain privileges. NOTE: this was originally reported for Legato NetWorker 6.1 on the Solaris 7 platform.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc networker 6.1
CVE-2002-0114 MEDIUM

EMC NetWorker (formerly Legato NetWorker) before 7.0 stores passwords in plaintext in the daemon.log file, which allows local users to gain privileges by reading the password from the file. NOTE: this was originally reported for Legato NetWorker 6.1 on the Solaris 7 platform.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc networker 6.1
CVE-2005-0357 HIGH

EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 rely on AUTH_UNIX authentication, which relies on user ID for authentication and allows remote attackers to bypass authentication and gain privileges by spoofing a username or UID.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun storedge_enterprise_backup_software 7.0
sun storedge_enterprise_backup_software 7.1
sun solstice_backup 6.0
emc legato_networker 6.0
emc legato_networker 6.1
sun solstice_backup 6.1
emc legato_networker 7.2
emc legato_networker 7.13
emc legato_networker 4.2.2
sun storedge_enterprise_backup_software 7.2
CVE-2005-0358 HIGH

EMC Legato NetWorker, Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 6.0 through 7.2 do not properly verify authentication tokens, which allows remote attackers to gain privileges by modifying an authentication token.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun storedge_enterprise_backup_software 7.0
sun storedge_enterprise_backup_software 7.1
sun solstice_backup 6.0
emc legato_networker 6.0
emc legato_networker 6.1
sun solstice_backup 6.1
emc legato_networker 7.2
emc legato_networker 7.13
emc legato_networker 4.2.2
sun storedge_enterprise_backup_software 7.2
CVE-2005-0359 MEDIUM

The Legato PortMapper in EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 does not restrict access to the pmap_set and pmap_unset commands, which allows remote attackers to (1) cause a denial of service by using pmap_unset to un-register a NetWorker service, or (2) obtain sensitive information from NetWorker services by using pmap_set to register a new service.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun storedge_enterprise_backup_software 7.0
sun storedge_enterprise_backup_software 7.1
sun solstice_backup 6.0
emc legato_networker 6.0
emc legato_networker 6.1
sun solstice_backup 6.1
emc legato_networker 7.2
emc legato_networker 7.13
emc legato_networker 4.2.2
sun storedge_enterprise_backup_software 7.2
CVE-2005-2184 HIGH

eRoom 6.x does not properly restrict files that can be attached, which allows remote attackers to execute arbitrary commands via a .lnk file.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc eroom 6.0.4
emc eroom 6.0.1
emc eroom 6.0.3
emc eroom 6.0.2
emc eroom 6.0.6
emc eroom 6.0.7
emc eroom 6.0.5
emc eroom 6.0
CVE-2005-2185 HIGH

eRoom does not set an expiration for Cookies, which allows remote attackers to capture cookies and conduct replay attacks.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc eroom 6.0.4
emc eroom 6.0.1
emc eroom 6.0.3
emc eroom 6.0.2
emc eroom 6.0.6
emc eroom 6.0.7
emc eroom 6.0.5
emc eroom 6.0
CVE-2005-2357 MEDIUM

Directory traversal vulnerability in EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc navisphere_manager 6.4
emc navisphere_manager 6.5
emc navisphere_manager 6.6
emc navisphere_manager 6.4.1.0.0
CVE-2005-2358 MEDIUM

EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to list arbitrary directories via an HTTP request for a directory that ends in a "." (trailing dot).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc navisphere_manager 6.4
emc navisphere_manager 6.5
emc navisphere_manager 6.6
emc navisphere_manager 6.4.1.0
CVE-2005-3658 HIGH

Multiple heap-based buffer overflows in EMC Legato NetWorker 7.1.x before 7.1.4 and 7.2.x before 7.2.1.Build.314, and other products such as Sun Solstice Backup (SBU) 6.0 and 6.1 and StorEdge Enterprise Backup Software (EBS) 7.1 through 7.2L, allow remote attackers to execute arbitrary code or cause a denial of service (unresponsive application) via malformed RPC packets to (1) RPC program number 390109 (nsrd.exe) and (2) RPC program number 390113 (nsrexecd.exe).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc legato_networker 7.2_build172
emc legato_networker 7.2.1
emc legato_networker 7.1.1
emc legato_networker 7.2
emc legato_networker 7.1.2
emc legato_networker 7.1.3
CVE-2005-3659 MEDIUM

nsrd.exe in EMC Legato NetWorker 7.1.x before 7.1.4 and 7.2.x before 7.2.1.Build.314, and other products such as Sun Solstice Backup (SBU) 6.0 and 6.1 and StorEdge Enterprise Backup Software (EBS) 7.1 through 7.2L, allows remote attackers to cause a denial of service (nsrd service crash) via a malformed RPC request to RPC program number 390109, which triggers a null dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
emc legato_networker 7.2_build172
emc legato_networker 7.2.1
emc legato_networker 7.2
CVE-2006-2154 HIGH

EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and 7.5 before 7.5.1.105 does not drop privileges before opening files, which allows local users to execute arbitrary code via the File>Open dialog.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc retrospect *
CVE-2006-2155 MEDIUM

EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and 7.5 before 7.5.1.105 allows local users to execute arbitrary code by replacing the Retrospect.exe file, possibly due to improper file permissions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc retrospect *
CVE-2006-2391 HIGH

Buffer overflow in EMC Retrospect Client 5.1 through 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to port 497.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc retrospect_client 6.5
emc retrospect_client 7.5
emc retrospect_client 5.1
emc retrospect_client 7.0
CVE-2008-0961 HIGH

EMV DiskXtender 6.20.060 has a hard-coded login and password, which allows remote attackers to bypass authentication via the RPC interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
emc diskxtender 6.20.060
CVE-2009-2754 HIGH

Integer signedness error in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3 and EMC Legato NetWorker, allows remote attackers to execute arbitrary code via a crafted parameter size that triggers a stack-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
ibm informix_dynamic_server 10.0.xc3
ibm informix_dynamic_server 10.0.tc1
ibm informix_dynamic_server 11.10.xc1de
ibm informix_dynamic_server 11.10.xc3e
ibm informix_dynamic_server 10.0.xc6e
ibm informix_dynamic_server 11.1
ibm informix_dynamic_server 11.10
ibm informix_dynamic_server 10.0.xc4e
ibm informix_dynamic_server 10.0.xc7e
ibm informix_dynamic_server 10.0.xc10
ibm informix_dynamic_server 11.10.xc1
ibm informix_dynamic_server 10.0.xc5
ibm informix_dynamic_server 11.10.xc2
ibm informix_dynamic_server 11.10.xc2e
ibm informix_dynamic_server 11.10.xc3
ibm informix_dynamic_server 10.0.xc5e
ibm informix_dynamic_server 10.0.xc7
emc legato_networker *
ibm informix_dynamic_server 10.0
ibm informix_dynamic_server 10.0.xc3e
ibm informix_dynamic_server 10.0.xc6
ibm informix_dynamic_server 10.0.xc9
ibm informix_dynamic_server 10.0.xc8e
ibm informix_dynamic_server 10.0.xc2e
ibm informix_dynamic_server 10.0.xc4
ibm informix_dynamic_server 10.0.xc8
ibm informix_dynamic_server 10.0.xc10e
ibm informix_dynamic_server 10.0.xc1
ibm informix_dynamic_server 10.0.xc9e
CVE-2009-3573 HIGH

Multiple insecure method vulnerabilities in the PDIControl.PDI.1 ActiveX control (PDIControl.dll) 2.2.3160.0 in EMC Captiva PixTools Distributed Imaging 2.2 allow remote attackers to create or overwrite arbitrary files via the (1) SetLogFileName and (2) WriteToLog methods.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc captiva_pixtools_distributed_imaging 2.2
CVE-2010-0620 HIGH

Directory traversal vulnerability in the SSL Service in EMC HomeBase Server 6.2.x before 6.2.3 and 6.3.x before 6.3.2 allows remote attackers to overwrite arbitrary files with any content, and consequently execute arbitrary code, via a .. (dot dot) in an unspecified parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc homebase_server 6.2
emc homebase_server 6.3
CVE-2010-1904 MEDIUM

SQL injection vulnerability in EMC RSA Key Manager (RKM) C Client 1.5.x allows user-assisted remote attackers to execute arbitrary SQL commands via the metadata section of encrypted key data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc rsa_key_manager_client 1.5.0
CVE-2010-1919 HIGH

Unspecified vulnerability in EMC Avamar 4.1.x and 5.0 before SP1 allows remote attackers to cause a denial of service (gsan service hang) by sending a crafted message using TCP.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc avamar 4.1
emc avamar *
CVE-2010-2633 HIGH

Unspecified vulnerability in EMC Disk Library (EDL) before 3.2.7, 3.3.x before 3.3.2 epatch 8, and 4.0.x before 4.0.1 epatch 4 allows remote attackers to cause a denial of service (communication-module crash) by sending a crafted message through TCP.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc disk_library 3.3.1
emc disk_library 3.3.2
emc disk_library *
emc disk_library 4.0.0
CVE-2010-2860 HIGH

The EMC Celerra Network Attached Storage (NAS) appliance accepts external network traffic to IP addresses intended for an intranet network within the appliance, which allows remote attackers to read, create, or modify arbitrary files in the user data directory via NFS requests.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc celerra_network_attached_storage *
CVE-2011-0321 MEDIUM

librpc.dll in nsrexecd in EMC NetWorker before 7.5 SP4, 7.5.3.x before 7.5.3.5, and 7.6.x before 7.6.1.2 does not properly mitigate the possibility of a spoofed localhost source IP address, which allows remote attackers to (1) register or (2) unregister RPC services, and consequently cause a denial of service or obtain sensitive information from interprocess communication, via crafted UDP packets containing service commands.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc networker 7.6.0.5
emc networker 7.5.3.2
emc networker *
emc networker 7.5.3.1
emc networker 7.6.0.4
emc networker 7.6.0.7
emc networker 7.3
emc networker 6.0
emc networker 7.0
emc networker 7.6.0.2
emc networker 7.6.0.6
emc networker 7.6.1.1
emc networker 7.4
emc networker 7.5.3.3
emc networker 7.2
emc networker 7.6.0.8
emc networker 7.5
emc networker 6.1
emc networker 7.5.3.4
emc networker 7.6.0.9
emc networker 7.6.0.3
CVE-2011-0442 LOW

The service utility in EMC Avamar 5.x before 5.0.4 uses cleartext to transmit event details in (1) service requests and (2) e-mail messages, which might allow remote attackers to obtain sensitive information by sniffing the network.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc avamar 5.0
emc avamar *
CVE-2011-0647 HIGH

The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc networker_module 2.2
emc replication_manager 5.2
emc replication_manager *
emc networker_module 2.1
emc replication_manager 5.2.2
emc replication_manager 2.0
CVE-2011-0648 HIGH

Unspecified vulnerability in EMC Avamar before 5.0.4-30 allows remote authenticated users to gain privileges via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc avamar 4.1
emc avamar 5.0
emc avamar *
CVE-2011-1420 HIGH

EMC Data Protection Advisor Collector 5.7 and 5.7.1 on Solaris SPARC platforms uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc data_protection_advisor_collector 5.7
oracle solaris_sparc *
emc data_protection_advisor_collector 5.7.1
CVE-2011-1421 MEDIUM

EMC NetWorker 7.5.x before 7.5.4.3 and 7.6.x before 7.6.1.5, when the client push feature is enabled, uses weak permissions for an unspecified file, which allows local users to gain privileges via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc networker 7.5.4
emc networker 7.5.3.5
emc networker 7.6.0.7
emc networker 7.6.1.4
emc networker 7.6.0.6
emc networker 7.5.4.2
emc networker 7.5.2.2
emc networker 7.6
emc networker 7.5.3.4
emc networker 7.6.0.9
emc networker 7.6.0.3
emc networker 7.5.3
emc networker 7.6.0.5
emc networker 7.5.3.2
emc networker 7.5.3.1
emc networker 7.6.0.4
emc networker 7.6.0.2
emc networker 7.6.1.1
emc networker 7.6.1.2
emc networker 7.5.3.3
emc networker 7.6.1
emc networker 7.6.1.3
emc networker 7.5.2.0
emc networker 7.5.2.4
emc networker 7.6.0.8
emc networker 7.5.4.1
emc networker 7.5.2.3
emc networker 7.5.2.1
CVE-2011-1422 MEDIUM

Cross-site scripting (XSS) vulnerability in an unspecified Shockwave Flash file in EMC RSA Adaptive Authentication On-Premise (AAOP) 2.x, 5.7.x, and 6.x allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 5.7.0
emc rsa_adaptive_authentication_on-premise 5.7.2
emc rsa_adaptive_authentication_on-premise 5.7.3
emc rsa_adaptive_authentication_on-premise 6.0.2.1
emc rsa_adaptive_authentication_on-premise 6.0
emc rsa_adaptive_authentication_on-premise 2.0
CVE-2011-1423 MEDIUM

Cross-site scripting (XSS) vulnerability in RSA Data Loss Prevention (DLP) Enterprise Manager 8.x before 8.5 SP1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc data_loss_prevention_enterprise_manager 8.0
emc data_loss_prevention_enterprise_manager 8.5
CVE-2011-1424 LOW

The default configuration of ExShortcut\Web.config in EMC SourceOne Email Management before 6.6 SP1, when the Mobile Services component is used, does not properly set the localOnly attribute of the trace element, which allows remote authenticated users to obtain sensitive information via ASP.NET Application Tracing.

CVSS 2.0

Severity: LOW

Problem Type: CWE-16,

Products Affected

Vendor Product Version
emc sourceone_email_management *
emc sourceone_email_management 6.5.2.3668
CVE-2011-1740 HIGH

EMC Avamar 4.x, 5.0.x, and 6.0.x before 6.0.0-592 allows remote authenticated users to modify client data or obtain sensitive information about product activities by leveraging privileged access to a different domain.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc avamar 6.0
emc avamar 5.0.0-407
emc avamar 4.1
emc avamar 5.0
emc avamar 4.0
emc avamar 5.0.4-26
CVE-2011-1741 HIGH

Stack-based buffer overflow in ftserver.exe in the OpenText Hummingbird Client Connector, as used in the Indexing Server in EMC Documentum eRoom 7.x before 7.4.3.f and other products, allows remote attackers to execute arbitrary code by sending a crafted message over TCP.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc documentum_eroom 7.4.2
emc documentum_eroom 7.4.3
emc documentum_eroom 7.4.1
CVE-2011-1742 LOW

EMC Data Protection Advisor before 5.8.1 places cleartext account credentials in the DPA configuration file in unspecified circumstances, which might allow local users to obtain sensitive information by reading this file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc data_protection_advisor 5.7
emc data_protection_advisor 5.0
emc data_protection_advisor 5.6.1
emc data_protection_advisor *
emc data_protection_advisor 5.6
emc data_protection_advisor 5.8
emc data_protection_advisor 5.7.1
CVE-2011-1743 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Captiva eInput 2.1.1 before 2.1.1.37 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc captiva_einput *
CVE-2011-1744 MEDIUM

EMC Captiva eInput 2.1.1 before 2.1.1.37 does not restrict the origin of calls to ActiveX functions, which allows remote attackers to read arbitrary files or cause a denial of service via a crafted web site.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc captiva_einput *
CVE-2011-2733 HIGH

EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, SP1 Patch 3, SP2, SP2 Patch 1, and SP3 does not prevent reuse of authentication information during a session, which allows remote authenticated users to bypass intended access restrictions via vectors related to knowledge of the originally used authentication information and unspecified other session information.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 6.0.2.1
CVE-2011-2735 HIGH

Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4.1 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by sending a crafted message over TCP.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc autostart 5.4
emc autostart 5.3
CVE-2011-2738 HIGH

Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cisco unified_service_monitor 2.2
cisco unified_service_monitor 2.0.1
cisco ciscoworks_lan_management_solution 4.0.1
cisco unified_operations_manager 2.0.2
emc ionix_ip *
emc ionix_asam *
cisco ciscoworks_lan_management_solution 3.1
cisco unified_operations_manager 8.0
cisco unified_service_monitor 2.1
cisco unified_operations_manager 1.0
cisco unified_service_monitor 1.1
cisco unified_operations_manager *
cisco ciscoworks_lan_management_solution 3.2
cisco unified_service_monitor 2.3
cisco unified_operations_manager 1.1
cisco unified_service_monitor 8.0
cisco ciscoworks_lan_management_solution 4.0
cisco unified_operations_manager 2.1
cisco unified_operations_manager 2.0
cisco unified_operations_manager 2.3
cisco unified_operations_manager 2.2
cisco unified_service_monitor 2.0
cisco unified_operations_manager 2.0.1
cisco ciscoworks_lan_management_solution 3.0
cisco unified_operations_manager 2.0.3
emc ionix_acm *
cisco unified_service_monitor *
CVE-2011-2739 HIGH

The file-blocking feature in EMC Documentum eRoom 7.3.x and 7.4.x before 7.4.3.g does not properly restrict the uploading and opening of files with dangerous file types, which allows remote authenticated users to execute arbitrary code via an uploaded file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_eroom 7.3.0
emc documentum_eroom 7.4.2
emc documentum_eroom 7.4.3
emc documentum_eroom 7.4.1
CVE-2011-2740 HIGH

EMC RSA Key Manager (RKM) Appliance 2.7 SP1 before 2.7.1.6, when Firefox 4.x or 5.0 is used, does not properly terminate a user session upon a logout action, which makes it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_key_manager_appliance 2.7
CVE-2011-2741 MEDIUM

EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, SP1 Patch 3, SP2, SP2 Patch 1, and SP3 does not properly implement Device Recovery and Device Identification, which might allow remote attackers to bypass intended security restrictions on a (1) previously non-registered device or (2) registered device by sending unspecified "data elements."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 6.0.2.1
CVE-2011-2742 MEDIUM

EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, SP1 Patch 3, SP2, SP2 Patch 1, and SP3 does not properly perform forensic evaluation upon receipt of device tokens from mobile apps, which might allow remote attackers to bypass intended application restrictions via a mobile device.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 6.0.2.1
CVE-2011-4142 LOW

The Web Search feature in EMC SourceOne Email Management 6.5 before 6.5.2.4033, 6.6 before 6.6.1.2194, and 6.7 before 6.7.2.2033 places cleartext credentials in log files, which allows local users to obtain sensitive information by reading these files.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc sourceone_email_management 6.6.0.1209
emc sourceone_email_management 6.7
emc sourceone_email_management *
emc sourceone_email_management 6.5
emc sourceone_email_management 6.6
CVE-2011-4144 MEDIUM

Unspecified vulnerability in EMC Documentum Content Server 6.0, 6.5 before SP2 P02, 6.5 SP3 before SP3 P02, and 6.6 before P02 allows local users to obtain "highest super user privileges" by leveraging system administrator privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
centos centos 6
CVE-2012-0395 HIGH

Buffer overflow in the server in EMC NetWorker 7.5.x and 7.6.x before 7.6.3 SP1 Cumulative Release build 851 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc networker 7.5.4
emc networker 7.5.3.5
emc networker 7.6.0.7
emc networker 7.6.1.4
emc networker 7.6.0.6
emc networker 7.5.4.2
emc networker 7.5.2.2
emc networker 7.6
emc networker 7.5.4.3
emc networker 7.5.3.4
emc networker 7.6.0.9
emc networker 7.6.0.3
emc networker 7.5.3
emc networker 7.6.0.5
emc networker 7.5.3.2
emc networker 7.5.3.1
emc networker 7.6.0.4
emc networker 7.6.0.2
emc networker 7.6.1.1
emc networker 7.6.1.2
emc networker 7.6.1.5
emc networker 7.5.3.3
emc networker 7.6.1
emc networker 7.6.1.3
emc networker 7.6.3
emc networker 7.5.2.0
emc networker 7.5.2.4
emc networker 7.6.0.8
emc networker 7.5
emc networker 7.5.4.1
emc networker 7.5.2.3
emc networker 7.5.2.1
CVE-2012-0396 MEDIUM

EMC Documentum xPlore 1.0, 1.1 before P07, and 1.2 does not properly enforce the requirement for BROWSE permission, which allows remote authenticated users to determine the existence of an object, or read object metadata, via a search.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_xplore 1.2
emc documentum_xplore 1.0
emc documentum_xplore 1.1
CVE-2012-0398 HIGH

EMC Documentum eRoom before 7.4.4 does not properly validate session cookies, which allows remote attackers to hijack or replay sessions via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_eroom *
emc documentum_eroom 7.3.0
emc documentum_eroom 7.4.2
emc documentum_eroom 7.4.1
CVE-2012-0404 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Documentum eRoom before 7.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_eroom *
emc documentum_eroom 7.3.0
emc documentum_eroom 7.4.2
emc documentum_eroom 7.4.1
CVE-2012-0406 HIGH

The DPA_Utilities.cProcessAuthenticationData function in EMC Data Protection Advisor (DPA) 5.5 through 5.8 SP1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an AUTHENTICATECONNECTION command that (1) lacks a password field or (2) has an empty password.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc data_protection_advisor 5.5
emc data_protection_advisor 5.7
emc data_protection_advisor 5.6
emc data_protection_advisor 5.8
CVE-2012-0407 MEDIUM

Integer overflow in the DPA_Utilities library in EMC Data Protection Advisor (DPA) 5.5 through 5.8 SP1 allows remote attackers to cause a denial of service (infinite loop) via a negative 64-bit value in a certain size field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
emc data_protection_advisor 5.5
emc data_protection_advisor 5.7
emc data_protection_advisor 5.6
emc data_protection_advisor 5.8
CVE-2012-0409 HIGH

Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4.3 allow remote attackers to cause a denial of service (agent crash) or possibly execute arbitrary code via crafted packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc autostart 5.4.2
emc autostart 5.4.1
emc autostart 5.4
emc autostart 5.3
CVE-2012-2276 HIGH

The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via input data that (1) lacks FIPS fields or (2) has an invalid version number.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc documentum_information_rights_management 4
emc documentum_information_rights_management 5
CVE-2012-2277 HIGH

The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (pvcontrol.exe process hang) via \n (line feed) characters in the Id fields of many "batch begin untethered" commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc documentum_information_rights_management 4
emc documentum_information_rights_management 5
CVE-2012-2278 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Self-Service Console and (2) Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa securid_appliance 3.0
emc rsa_authentication_manager *
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager 7.1
rsa securid_appliance 2.0.1
rsa authentication_manager 7.1
rsa securid_appliance 2.0.2
CVE-2012-2279 MEDIUM

Open redirect vulnerability in the Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rsa securid_appliance 3.0
emc rsa_authentication_manager *
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager 7.1
rsa securid_appliance 2.0.1
rsa authentication_manager 7.1
rsa securid_appliance 2.0.2
CVE-2012-2280 MEDIUM

EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 do not properly use frames, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "Cross frame scripting vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsa securid_appliance 3.0
emc rsa_authentication_manager *
emc rsa_authentication_manager 7.0
rsa securid_appliance 2.0
emc rsa_authentication_manager 7.1
rsa securid_appliance 2.0.1
rsa authentication_manager 7.1
rsa securid_appliance 2.0.2
CVE-2012-2282 MEDIUM

EMC Celerra Network Server 6.x before 6.0.61.0, VNX 7.x before 7.0.53.2, and VNXe 2.0 and 2.1 before 2.1.3.19077 (aka MR1 SP3.2) and 2.2 before 2.2.0.19078 (aka MR2 SP0.2) do not properly implement NFS access control, which allows remote authenticated users to read or modify files via a (1) NFSv2, (2) NFSv3, or (3) NFSv4 request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc celerra_network_server 6.0.60.2
emc vnxe mr2
emc vnxe mr1
emc vnxe 2.0
emc vnx 7.0.12.0
emc vnx 7.0.53.1
emc celerra_network_server 6.0.36.4
CVE-2012-2515 HIGH

Multiple stack-based buffer overflows in the KeyHelp.KeyCtrl.1 ActiveX control in KeyHelp.ocx 1.2.312 in KeyWorks KeyHelp Module (aka the HTML Help component), as used in EMC Documentum ApplicationXtender Desktop 5.4; EMC Captiva Quickscan Pro 4.6 SP1; GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; GE Intelligent Platforms Proficy HMI/SCADA iFIX 5.0 and 5.1; GE Intelligent Platforms Proficy Pulse 1.0; GE Intelligent Platforms Proficy Batch Execution 5.6; GE Intelligent Platforms SI7 I/O Driver 7.20 through 7.42; and other products, allow remote attackers to execute arbitrary code via a long string in the second argument to the (1) JumpMappedID or (2) JumpURL method.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ge intelligent_platforms_proficy_historian 4.0
ge intelligent_platforms_proficy_historian 3.1
ge intelligent_platforms_proficy_batch_execution 5.6
ge intelligent_platforms_proficy_historian 4.5
ge intelligent_platforms_proficy_pulse 1.0
ge intelligent_platforms_proficy_hmi/scada_ifix 5.1
ge intelligent_platforms_proficy_historian 3.5
emc documentum_applicationxtender_desktop 5.4
ge intelligent_platforms_si7_i/o_driver 7.20
ge intelligent_platforms_proficy_hmi/scada_ifix 5.0
emc captiva_quickscan_pro 4.6
ge intelligent_platforms_si7_i/o_driver 7.42
CVE-2013-0928 HIGH

The NetWorker command processor in rrobotd.exe in the Device Manager in EMC AlphaStor 4.0 before build 800 allows remote attackers to execute arbitrary commands via a DCP "run command" operation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
emc alphastor 4.0
CVE-2013-0929 HIGH

Format string vulnerability in the _vsnsprintf function in rrobotd.exe in the Device Manager in EMC AlphaStor 4.0 before build 800 allows remote attackers to execute arbitrary code via format string specifiers in a command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
emc alphastor 4.0
CVE-2013-0930 HIGH

Buffer overflow in Drive Control Program (DCP) in EMC AlphaStor 4.0 before build 814 allows remote attackers to execute arbitrary code via vectors involving a new device name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc alphastor 4.0
CVE-2013-0932 MEDIUM

EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allows remote authenticated users to bypass intended access restrictions and upload arbitrary files via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_archer_smartsuite 4.3
emc rsa_archer_egrc 5.3
emc rsa_archer_smartsuite 4.5
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.0
CVE-2013-0933 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_archer_smartsuite 4.3
emc rsa_archer_egrc 5.3
emc rsa_archer_smartsuite 4.5
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.0
CVE-2013-0934 MEDIUM

EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allows remote authenticated users to bypass intended access restrictions and modify global reports via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_archer_smartsuite 4.3
emc rsa_archer_egrc 5.3
emc rsa_archer_smartsuite 4.5
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.0
CVE-2013-0935 HIGH

EMC Smarts Network Configuration Manager (NCM) before 9.2 does not require authentication for all Java RMI method calls, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager *
CVE-2013-0936 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Smarts IP Manager, Smarts Service Assurance Manager, Smarts Server Manager, Smarts VoIP Availability Manager, Smarts Network Protocol Manager, and Smarts MPLS Manager before 9.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc smarts_network_protocol_manager 9.1
emc smarts_ip_manager 9.1
emc smarts_services_assurance_manager 9.1
emc smarts_mpls_manager 9.1
emc smarts_voip_availability_manager 9.1
emc smarts_server_manager 9.1
CVE-2013-0937 MEDIUM

Session fixation vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to hijack web sessions via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_records_manager 6.7
emc documentum_wdk 6.7
emc documentum_taskspace 6.7
CVE-2013-0938 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_records_manager 6.7
emc documentum_wdk 6.7
emc documentum_taskspace 6.7
CVE-2013-0939 MEDIUM

EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_records_manager 6.7
emc documentum_wdk 6.7
emc documentum_taskspace 6.7
CVE-2013-0940 HIGH

The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and 8.x before 8.0.1.4 sets weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc networker 7.4.5.10
emc networker 7.5.3.5
emc networker 8.0
emc networker 8.0.0.2
emc networker 7.6.0.6
emc networker 7.5.4.2
emc networker 7.6.4.3
emc networker 7.5.2.2
emc networker 7.5.4.6
emc networker 7.6.4
emc networker 6.1
emc networker 7.5.4.3
emc networker 8.0.0.1
emc networker 7.6.0.3
emc networker 7.5.3
emc networker 7.5.3.2
emc networker 7.6.4.4
emc networker 7.6.0.4
emc networker 8.0.0.6
emc networker 7.6.5
emc networker 7.0
emc networker 7.6.0.2
emc networker 7.6.4.5
emc networker 7.3.2
emc networker 7.6.1.2
emc networker 7.6.1.5
emc networker 7.5.3.3
emc networker 7.6.1
emc networker 7.6.1.3
emc networker 7.6.3
emc networker 7.5.2.4
emc networker 7.6.0.8
emc networker 7.5.4.1
emc networker 7.5.2.3
emc networker 7.5.2.1
emc networker 7.5.4
emc networker *
emc networker 7.5.4.5
emc networker 7.6.0.7
emc networker 7.3
emc networker 7.6.1.4
emc networker 7.2
emc networker 8.0.0.3
emc networker 7.5.4.7
emc networker 7.5.3.4
emc networker 7.6.0.9
emc networker 7.6.0.5
emc networker 7.5.3.1
emc networker 7.6.4.2
emc networker 7.4.5.6
emc networker 7.4.5.5
emc networker 6.0
emc networker 7.6.1.1
emc networker 7.4
emc networker 7.5.2.0
emc networker 7.5
emc networker 7.4.5.4
emc networker 7.6.4.1
emc networker 8.0.0.4
emc networker 8.0.0.5
emc networker 7.5.4.4
emc networker 8.0.1.3
CVE-2013-0942 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_agent 7.1
CVE-2013-0943 MEDIUM

EMC NetWorker 7.6.x and 8.x before 8.1 allows local users to obtain sensitive configuration information by leveraging operating-system privileges to perform decryption with nsradmin.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc networker 8.0.1.6
emc networker 8.0.2.0
emc networker 7.6.5.4
emc networker 7.6.0.7
emc networker 7.6.5.2
emc networker 7.6.1.4
emc networker 8.0
emc networker 8.0.0.2
emc networker 7.6.0.6
emc networker 7.6.4.3
emc networker 7.6.5.3
emc networker 8.0.0.3
emc networker 8.0.1.5
emc networker 7.6.4
emc networker 7.6.5.6
emc networker 7.6
emc networker 8.0.0.1
emc networker 7.6.0.9
emc networker 7.6.0.3
emc networker 7.6.0.5
emc networker 7.6.4.4
emc networker 7.6.0.4
emc networker 7.6.4.2
emc networker 8.0.0.6
emc networker 7.6.5.5
emc networker 7.6.5
emc networker 7.6.0.2
emc networker 7.6.4.5
emc networker 7.6.1.1
emc networker 7.6.1.2
emc networker 7.6.1.5
emc networker 7.6.1
emc networker 7.6.1.3
emc networker 7.6.3
emc networker 7.6.0.8
emc networker 7.6.4.1
emc networker 8.0.1.4
emc networker 8.0.0.4
emc networker 8.0.2.1
emc networker 8.0.0.5
emc networker 8.0.1.3
CVE-2013-0944 LOW

The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc avamar 6.0.3
emc avamar 6.0
emc avamar 5.0.0-407
emc avamar 6.0.1
emc avamar 5.0
emc avamar 6.0.2
emc avamar 5.0.4-26
CVE-2013-0945 HIGH

EMC Avamar Client before 6.1.101-89 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc avamar 6.0
emc avamar 5.0.0-407
emc avamar 4.1
emc avamar 5.0
emc avamar *
emc avamar 4.0
emc avamar 5.0.4-26
CVE-2013-0946 HIGH

Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc alphastor 4.0
CVE-2013-2717 HIGH

Multiple unspecified vulnerabilities in the System Management (aka SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM) through 9.2 have unknown impact and attack vectors, a different issue than CVE-2013-0935. NOTE: this might overlap CVEs for open-source server components or other third-party components.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager 9.1
emc smarts_network_configuration_manager *
CVE-2013-3270 MEDIUM

EMC VNX Control Station before 7.1.70.2 and Celerra Control Station before 6.0.70.1 have an incorrect group ownership for unspecified script files, which allows local users to gain privileges by leveraging nasadmin group membership.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc vnx_control_station *
emc celerra_control_station *
CVE-2013-3271 MEDIUM

EMC RSA Authentication Agent for PAM 7.0 before 7.0.2.1 enforces the maximum number of login attempts within the PAM-enabled application codebase, instead of within the Agent codebase, which makes it easier for remote attackers to discover correct login credentials via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc rsa_authentication_agent 7.0.0
emc rsa_authentication_agent 7.0.2
emc rsa_authentication_agent 7.0.1
CVE-2013-3272 LOW

EMC Replication Manager (RM) before 5.4.4 places encoded passwords in application log files, which makes it easier for local users to obtain sensitive information by reading a file and conducting an unspecified decoding attack.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc replication_manager *
CVE-2013-3273 LOW

EMC RSA Authentication Manager 8.0 before P2 and 7.1 before SP4 P26, as used in Appliance 3.0, does not omit the cleartext administrative password from trace logging in custom SDK applications, which allows local users to obtain sensitive information by reading the trace log file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
rsa authentication_manager 8.0
emc rsa_authentication_manager 7.1
emc rsa_authentication_manager 8.0
rsa authentication_manager 7.1
CVE-2013-3274 HIGH

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly determine authorization for calls to Java RMI methods, which allows remote authenticated users to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc avamar_server_virtual_edition 4.1
emc avamar_server_virtual_edition 5.0
emc avamar_server_virtual_edition *
emc avamar_server_virtual_edition 6.0
emc avamar_server 4.1
emc avamar_server *
emc avamar_server 5.0
emc avamar_server 4.0
emc avamar_server_virtual_edition 4.0
emc avamar_server 6.0
CVE-2013-3275 MEDIUM

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc avamar_server_virtual_edition 4.1
emc avamar_server_virtual_edition 5.0
emc avamar_server_virtual_edition *
emc avamar_server_virtual_edition 6.0
emc avamar_server 4.1
emc avamar_server *
emc avamar_server 5.0
emc avamar_server 4.0
emc avamar_server_virtual_edition 4.0
emc avamar_server 6.0
CVE-2013-3276 MEDIUM

EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to bypass intended access restrictions and complete a login by leveraging a deactivated account.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.0
CVE-2013-3277 MEDIUM

Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.0
CVE-2013-3278 MEDIUM

EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc geosynchrony *
emc vplex_geo -
emc vplex_metro -
emc vplex_local -
CVE-2013-3279 MEDIUM

EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account, which allows remote attackers to obtain sensitive administrative information via a database-server connection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc atmos *
CVE-2013-3280 HIGH

EMC RSA Authentication Agent 7.1.x before 7.1.2 for Web for Internet Information Services has a fail-open design, which allows remote attackers to bypass intended access restrictions via vectors that trigger an agent crash.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_authentication_agent 7.1
emc rsa_authentication_agent 7.1.1
CVE-2013-3281 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop before 6.7 SP2 P07, Documentum WDK before 6.7 SP2 P07, Documentum Taskspace before 6.7 SP2 P07, Documentum Records Manager before 6.7 SP2 P07, Documentum Web Publisher before 6.5 SP7, Documentum Digital Asset Manager before 6.5 SP6, Documentum Administrator before 6.7 SP2 P07, and Documentum Capital Projects before 1.8 P01 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_administrator 6.7
emc documentum_webtop *
emc documentum_wdk *
emc documentum_administrator *
emc documentum_wdk 6.7
emc documentum_taskspace 6.7
emc documentum_taskspace *
emc documentum_web_publisher *
emc documentum_web_publisher 6.5
emc documentum_digital_asset_manager 6.5
emc documentum_capital_projects *
emc documentum_digital_asset_manager *
CVE-2013-3285 LOW

The NetWorker Management Console (NMC) in EMC NetWorker 8.0.x before 8.0.2.3, when using Active Directory/LDAP for authentication, allows remote authenticated users to discover cleartext administrator passwords via (1) unspecified NMC audit reports or (2) requests to RAP resources.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc networker 8.0.1.6
emc networker 8.0.2.0
emc networker 8.0.0.6
emc networker 8.0
emc networker 8.0.0.2
emc networker 8.0.0.3
emc networker 8.0.1.5
emc networker 8.0.1.4
emc networker 8.0.0.4
emc networker 8.0.2.2
emc networker 8.0.0.1
emc networker 8.0.2.1
emc networker 8.0.0.5
emc networker 8.0.1.3
CVE-2013-3286 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom before 7.4.4 P11 allow remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_eroom *
emc documentum_eroom 7.3.0
emc documentum_eroom 7.4.2
emc documentum_eroom 7.4.0
emc documentum_eroom 7.4.3
emc documentum_eroom 7.4.1
CVE-2013-3288 MEDIUM

Cross-site scripting (XSS) vulnerability on the EMC RSA Data Protection Manager (DPM) appliance 3.2.x before 3.2.4.2 and 3.5.x before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_data_protection_manager_appliance 3.2.1
emc rsa_data_protection_manager_appliance 3.2.3
emc rsa_data_protection_manager_appliance 3.2
emc rsa_data_protection_manager_appliance 3.2.4.1
emc rsa_data_protection_manager_appliance 3.2.2
emc rsa_data_protection_manager_appliance 3.5
CVE-2013-6078 MEDIUM

The default configuration of EMC RSA BSAFE Toolkits and RSA Data Protection Manager (DPM) 20130918 uses the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging unspecified "security concerns," aka the ESA-2013-068 issue. NOTE: this issue has been SPLIT from CVE-2007-6755 because the vendor announcement did not state a specific technical rationale for a change in the algorithm; thus, CVE cannot reach a conclusion that a CVE-2007-6755 concern was the reason, or one of the reasons, for this change.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc rsa_data_protection_manager 20130918
emc rsa_bsafe_toolkits -
CVE-2013-6173 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to hijack the authentication of administrators for requests that perform administrative actions in (1) xAdmin or (2) xDashboard.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
emc document_sciences_xpression 4.1
CVE-2013-6174 MEDIUM

Multiple open redirect vulnerabilities in xAdmin in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
emc document_sciences_xpression 4.1
CVE-2013-6175 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to inject arbitrary web script or HTML via unspecified input to a (1) xAdmin or (2) xDashboard form.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
emc document_sciences_xpression 4.1
CVE-2013-6176 MEDIUM

Multiple SQL injection vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote authenticated users to execute arbitrary SQL commands via unspecified input to a (1) xAdmin or (2) xDashboard form.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
emc document_sciences_xpression 4.1
CVE-2013-6177 LOW

Directory traversal vulnerability in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allows remote authenticated users to read arbitrary files by leveraging xDashboard access.

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
emc document_sciences_xpression 4.1
CVE-2013-6178 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer GRC 5.x before 5.4 SP1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.4
emc rsa_archer_egrc 5.0
CVE-2013-6180 MEDIUM

EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA NetWitness NextGen 9.8, does not ensure that SA Core requests originate from the SA REST UI, which allows remote attackers to bypass intended access restrictions by sending a Core request from a web browser or other unintended user agent.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_security_analytics 10.0
emc rsa_security_analytics 10.1
emc rsa_security_analytics 10.2
emc rsa_netwitness_nextgen 9.8
CVE-2013-6181 LOW

EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc watch4net 6.1
emc watch4net 6.0
emc watch4net *
CVE-2013-6182 HIGH

Unquoted Windows search path vulnerability in EMC Replication Manager before 5.5 allows local users to gain privileges via a crafted application in a parent directory of an intended directory.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc replication_manager 5.2
emc replication_manager *
emc replication_manager 5.0
emc replication_manager 5.1
emc replication_manager 5.3
CVE-2013-6810 HIGH

The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
emc connectrix_manager 12.0.1
emc connectrix_manager 11.2.1
emc connectrix_manager 12.0.3
CVE-2014-0622 HIGH

The web service in EMC Documentum Foundation Services (DFS) 6.5 through 6.7 before 6.7 SP1 P22, 6.7 SP2 before P08, 7.0 before P12, and 7.1 before P01 does not properly implement content uploading, which allows remote authenticated users to bypass intended content access restrictions via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_foundation_services 6.5
emc documentum_foundation_services 6.7
emc documentum_foundation_services 7.1
emc documentum_foundation_services 6.6
emc documentum_foundation_services 7.0
CVE-2014-0623 MEDIUM

Cross-site scripting (XSS) vulnerability in the Self-Service Console in EMC RSA Authentication Manager 7.1 before SP4 P32 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "cross frame scripting" issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 7.1
CVE-2014-0624 LOW

EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_data_loss_prevention 9.5
emc rsa_data_loss_prevention 9.6
emc rsa_data_loss_prevention 9.0
CVE-2014-0625 MEDIUM

The SSLSocket implementation in the (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to cause a denial of service (memory consumption) by triggering application-data processing during the TLS handshake, a time at which the data is internally buffered.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
dell bsafe_ssl-j 6.0
emc rsa_bsafe_ssl-j 5.1.1
emc rsa_bsafe_ssl-j 5.0
emc rsa_bsafe_ssl-j 6.0.1
dell bsafe_ssl-j 5.1.2
emc rsa_bsafe_ssl-j 5.1.0
CVE-2014-0626 MEDIUM

The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
dell bsafe_ssl-j 6.0
emc rsa_bsafe_ssl-j 5.1.1
emc rsa_bsafe_ssl-j 5.0
emc rsa_bsafe_ssl-j 6.0.1
dell bsafe_ssl-j 5.1.2
emc rsa_bsafe_ssl-j 5.1.0
CVE-2014-0627 MEDIUM

The SSLEngine API implementation in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to trigger the selection of a weak cipher suite by using the wrap method during a certain incomplete-handshake state.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
dell bsafe_ssl-j 6.0
emc rsa_bsafe_ssl-j 5.1.1
emc rsa_bsafe_ssl-j 5.0
emc rsa_bsafe_ssl-j 6.0.1
dell bsafe_ssl-j 5.1.2
emc rsa_bsafe_ssl-j 5.1.0
CVE-2014-0629 HIGH

EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 does not properly handle the interaction between the dm_world group and the dm_superusers_dynamic group, which allows remote authenticated users to obtain sensitive information and gain privileges in opportunistic circumstances by leveraging an incorrect group-addition implementation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_taskspace 6.7
CVE-2014-0630 MEDIUM

EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 allows remote authenticated users to read arbitrary files via a modified imaging-service URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_taskspace 6.7
CVE-2014-0632 HIGH

Directory traversal vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote authenticated users to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.0
emc vplex_geosynchrony 4.0
emc vplex_geosynchrony 5.2.1
emc vplex_geosynchrony 5.2
emc vplex_geosynchrony 5.1
CVE-2014-0633 HIGH

The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not properly validate session-timeout values, which might make it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.0
emc vplex_geosynchrony 4.0
emc vplex_geosynchrony 5.2.1
emc vplex_geosynchrony 5.2
emc vplex_geosynchrony 5.1
CVE-2014-0634 MEDIUM

EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.0
emc vplex_geosynchrony 4.0
emc vplex_geosynchrony 5.2.1
emc vplex_geosynchrony 5.2
emc vplex_geosynchrony 5.1
CVE-2014-0635 HIGH

Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.0
emc vplex_geosynchrony 4.0
emc vplex_geosynchrony 5.2.1
emc vplex_geosynchrony 5.2
emc vplex_geosynchrony 5.1
CVE-2014-0637 MEDIUM

Cross-site scripting (XSS) vulnerability in the back-office case-management application in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 7.1
emc rsa_adaptive_authentication_on-premise 6.0.2.1
emc rsa_adaptive_authentication_on-premise 7.0
emc rsa_adaptive_authentication_on-premise 6.0
CVE-2014-0638 MEDIUM

Cross-site scripting (XSS) vulnerability in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote attackers to inject arbitrary web script or HTML via vectors involving FRAME elements, related to a "cross-frame scripting" issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 7.1
emc rsa_adaptive_authentication_on-premise 6.0.2.1
emc rsa_adaptive_authentication_on-premise 7.0
emc rsa_adaptive_authentication_on-premise 6.0
CVE-2014-0639 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer 5.x before GRC 5.4 SP1 P3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.4
emc rsa_archer_egrc 5.0
CVE-2014-0640 MEDIUM

EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.4
CVE-2014-0641 MEDIUM

Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.4
CVE-2014-0642 MEDIUM

EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-0643 HIGH

EMC RSA NetWitness before 9.8.5.19 and RSA Security Analytics before 10.2.4 and 10.3.x before 10.3.2, when Kerberos PAM is enabled, do not require a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid account name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc rsa_netwitness *
emc rsa_security_analytics *
CVE-2014-0644 HIGH

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc cloud_tiering_appliance_software 10.0
emc cloud_tiering_appliance -
CVE-2014-0645 MEDIUM

EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc cloud_tiering_appliance_software 10.0
emc file_management_appliance_software 7.0
emc cloud_tiering_appliance_software 9.0
emc file_management_appliance -
emc cloud_tiering_appliance -
CVE-2014-0646 MEDIUM

The runtime WS component in the server in EMC RSA Access Manager 6.1.3 before 6.1.3.39, 6.1.4 before 6.1.4.22, 6.2.0 before 6.2.0.11, and 6.2.1 before 6.2.1.03, when INFO logging is enabled, allows local users to discover cleartext passwords by reading log files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc rsa_access_manager 6.1
emc rsa_access_manager 6.2
CVE-2014-2276 MEDIUM

The FileUploadController servlet in EMC Connectrix Manager Converged Network Edition (CMCNE) before 12.1.5 does not properly restrict additions to the Connectrix Manager repository, which allows remote attackers to obtain sensitive information by importing a crafted firmware file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc connectrix_manager *
CVE-2014-2502 MEDIUM

Cross-site scripting (XSS) vulnerability in rsa_fso.swf in EMC RSA Adaptive Authentication (Hosted) 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_hosted 11.0
CVE-2014-2503 HIGH

The thumbnail proxy server in EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5, and 6.5 SP6 before P13 allows remote attackers to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on querying objects via a crafted parameter in a query string.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_digital_asset_manager 6.5
CVE-2014-2504 HIGH

EMC Documentum D2 3.1 before P20, 3.1 SP1 before P02, 4.0 before P10, 4.1 before P13, and 4.2 before P01 allows remote authenticated users to bypass intended access restrictions and execute arbitrary Documentum Query Language (DQL) queries by calling (1) a core method or (2) a D2FS web-service method.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_d2 4.2
emc documentum_d2 4.0
emc documentum_d2 3.1
emc documentum_d2 4.1
CVE-2014-2505 MEDIUM

EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.4
CVE-2014-2506 HIGH

EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-2507 HIGH

EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-2508 HIGH

EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on database actions via vectors involving DQL hints.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-2509 MEDIUM

Session fixation vulnerability in the Report Advisor (RA) component in EMC Network Configuration Manager (NCM) before 9.3 allows remote attackers to hijack web sessions via a session cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager 9.1
emc smarts_network_configuration_manager *
CVE-2014-2510 MEDIUM

The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_foundation_services 6.7
emc my_documentum_for_microsoft_outlook 6.7.3
emc my_documentum_for_microsoft_outlook 6.7
emc my_documentum_for_desktop 6.7.2
emc documentum_foundation_services 6.6
emc centerstage 1.2
emc my_documentum_for_microsoft_outlook 6.7.1
CVE-2014-2511 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc records_client 6.7
emc web_publishers 6.5
emc documentum_administrator 6.7
emc documentum_administrator 7.0
emc documentum_capital_projects 1.9
emc documentum_administrator 7.1
emc documentum_capital_projects 1.8
emc engineering_plant_facilities_management_solution_for_documentum 1.7
emc task_space 6.7
emc digital_assets_manager 6.5
CVE-2014-2512 LOW

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom 7.4.3, 7.4.4 before P19, and 7.4.4 SP1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_eroom 7.4.4
emc documentum_eroom 7.4.3
CVE-2014-2513 HIGH

EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
CVE-2014-2514 HIGH

EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
CVE-2014-2515 HIGH

EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_d2 4.2
emc documentum_d2 4.0
emc documentum_d2 3.1
emc documentum_d2 4.1
CVE-2014-2516 MEDIUM

Open redirect vulnerability in EMC RSA Authentication Manager 8.x before 8.1 Patch 6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.1
emc rsa_authentication_manager 8.0
CVE-2014-2517 MEDIUM

Unspecified vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to gain privileges via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.4
CVE-2014-2518 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Documentum WDK before 6.7SP1 P28 and 6.7SP2 before P15 allow remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc web_publishers 6.5
emc documentum_administrator 6.7
emc documentum_records_manager 6.7
emc documentum_capital_projects 1.9
emc task_space 6.7
emc documentum_wdk 6.7
emc digital_assets_manager 6.5
emc documentum_administrator 7.0
emc documentum_administrator 7.1
emc documentum_capital_projects 1.8
emc engineering_plant_facilities_management_solution_for_documentum 1.7
CVE-2014-2519 MEDIUM

The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 before 4.1.0.1 does not enable a firewall, which allows remote attackers to obtain potentially sensitive information about open ports, or cause a denial of service, by sending packets to many ports.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc recoverpoint_appliance 4.1
CVE-2014-2520 MEDIUM

EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07, when Oracle Database is used, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and read sensitive database content via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-2521 MEDIUM

EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to read sensitive object metadata via an RPC command.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-4618 HIGH

EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to gain privileges via a user-created system object.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-4619 HIGH

EMC RSA Identity Management and Governance (IMG) 6.5.x before 6.5.1 P11, 6.5.2 before P02HF01, and 6.8.x before 6.8.1 P07, when Novell Identity Manager (aka NovellIM) is used, allows remote attackers to bypass authentication via an arbitrary valid username.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.5.1
emc rsa_identity_management_and_governance 6.8.1
emc rsa_identity_management_and_governance 6.5.2
emc rsa_identity_management_and_governance 6.8.0
emc rsa_identity_management_and_governance 6.5.0
CVE-2014-4620 LOW

The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc networker *
meditech meditech 3.0
CVE-2014-4621 HIGH

EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subtypes of protected system types, which allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-4622 HIGH

EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
emc documentum_content_server 6.5
emc documentum_content_server 6.0
emc documentum_content_server 6.6
CVE-2014-4623 MEDIUM

EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
emc avamar 6.0.3
emc avamar 7.0
emc avamar 6.1.101-87
emc avamar 6.0.1
emc avamar 6.0.2
emc avamar 6.1
CVE-2014-4626 HIGH

EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote authenticated users to gain privileges by (1) placing a command in a dm_job object and setting this object's owner to a privileged user or placing a rename action in a dm_job_request object and waiting for a (2) dm_UserRename or (3) dm_GroupRename service task, aka ESA-2014-105. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2515.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server *
CVE-2014-4628 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Isilon InsightIQ 2.x and 3.x before 3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc isilon_insightiq 2.0.0
emc isilon_insightiq 3.0.0
emc isilon_insightiq 2.5.1
emc isilon_insightiq 2.5.2
emc isilon_insightiq 2.1.0
emc isilon_insightiq 2.0.1
emc isilon_insightiq 2.5.0
emc isilon_insightiq 3.0.1
CVE-2014-4629 HIGH

EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
CVE-2014-4631 MEDIUM

RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise 7.1
emc rsa_adaptive_authentication_on-premise 6.0.2.1
emc rsa_adaptive_authentication_on-premise 7.0
CVE-2014-4633 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.3
emc rsa_archer_egrc 5.1
emc rsa_archer_egrc 5.2
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.4
emc rsa_archer_egrc 5.0
emc rsa_archer_egrc 5.5.1
CVE-2014-4634 MEDIUM

Unquoted Windows search path vulnerability in EMC Replication Manager through 5.5.2 and AppSync before 2.1.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc replication_manager 5.4
emc replication_manager 5.4.3
emc appsync *
emc replication_manager 5.2
emc replication_manager *
emc replication_manager 5.0
emc replication_manager 5.5.1
emc replication_manager 5.1
emc replication_manager 5.3
emc replication_manager 5.5
CVE-2014-4635 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum Web Development Kit (WDK) before 6.8 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_wdk *
CVE-2014-4636 MEDIUM

Cross-site request forgery (CSRF) vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to hijack the authentication of arbitrary users for requests that perform Docbase operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc documentum_wdk *
CVE-2014-4637 MEDIUM

Open redirect vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc documentum_wdk *
CVE-2014-4638 MEDIUM

EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_wdk *
CVE-2014-4639 MEDIUM

EMC Documentum Web Development Kit (WDK) before 6.8 does not properly generate random numbers for a certain parameter related to Webtop components, which makes it easier for remote attackers to conduct phishing attacks via brute-force attempts to predict the parameter value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
emc documentum_wdk *
CVE-2015-0512 MEDIUM

Open redirect vulnerability in EMC Unisphere Central before 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc unisphere_central *
CVE-2015-0513 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc watch4net *
emc vipr_srm *
CVE-2015-0514 MEDIUM

EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc watch4net *
emc vipr_srm *
CVE-2015-0515 MEDIUM

Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc watch4net *
emc vipr_srm *
CVE-2015-0516 MEDIUM

Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc watch4net *
emc vipr_srm *
CVE-2015-0517 MEDIUM

The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_d2 4.2
emc documentum_d2 4.0
emc documentum_d2 3.1
emc documentum_d2 4.1
CVE-2015-0518 HIGH

The Properties service in the D2FS web-service component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 allows remote authenticated users to obtain superuser privileges via an unspecified method call that modifies group permissions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_d2 4.2
emc documentum_d2 4.0
emc documentum_d2 3.1
emc documentum_d2 4.1
CVE-2015-0519 LOW

The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc captiva_capture 7.0
emc captiva_capture 7.1
CVE-2015-0521 LOW

Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the CMP shared secret parameter.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_registration_manager *
emc rsa_certificate_manager *
CVE-2015-0522 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote attackers to inject arbitrary web script or HTML via vectors related to the email address parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_registration_manager *
emc rsa_certificate_manager *
CVE-2015-0523 HIGH

EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allow remote attackers to cause an Administration Server denial of service via an invalid MIME e-mail message with a multipart/* Content-Type header.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc rsa_registration_manager *
emc rsa_certificate_manager *
CVE-2015-0524 HIGH

SQL injection vulnerability in the Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc secure_remote_services 3.02
emc secure_remote_services 3.03
CVE-2015-0525 HIGH

The Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
emc secure_remote_services 3.02
emc secure_remote_services 3.03
CVE-2015-0526 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Validation Manager (RVM) 3.2 before build 201 allow remote attackers to inject arbitrary web script or HTML via the (1) displayMode or (2) wrapPreDisplayMode parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_validation_manager *
CVE-2015-0527 LOW

EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_xcelerated_management_system 1.1
CVE-2015-0528 HIGH

The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.1.0.0
emc isilon_onefs *
emc isilon_onefs 7.1.0.1
emc isilon_onefs 7.1.0.2
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.1.0.3
emc isilon_onefs 7.1.0.4
emc isilon_onefs 7.1.1.0
CVE-2015-0529 MEDIUM

EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc powerpath_virtual_appliance *
CVE-2015-0530 HIGH

Buffer overflow in an unspecified function in nsr_render_log in EMC NetWorker before 8.0.4.3, 8.1.x before 8.1.2.6, and 8.2.x before 8.2.1.2 allows local users to gain privileges via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc networker 8.1.0.1
emc networker 8.1.1.9
emc networker 8.1.2.0
emc networker *
emc networker 8.1.1.6
emc networker 8.1.0.4
emc networker 8.1.1.3
emc networker 8.2.0.4
emc networker 8.2.0.6
emc networker 8.2.1.0
emc networker 8.1.1.4
emc networker 8.2.0.3
emc networker 8.1.2.5
emc networker 8.1.0.0
emc networker 8.1.0.5
emc networker 8.1.2.3
emc networker 8.1.1.7
emc networker 8.1.1.8
emc networker 8.1.2.1
emc networker 8.1.1.2
emc networker 8.1.0.3
emc networker 8.2.0.2
emc networker 8.1.1.5
emc networker 8.2.0.1
emc networker 8.1.1.0
emc networker 8.1.1.1
emc networker 8.2.0.0
emc networker 8.2.0.5
emc networker 8.1.0.2
emc networker 8.2.1.1
emc networker 8.1.2.4
emc networker 8.1.2.2
CVE-2015-0531 MEDIUM

EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
emc sourceone_email_management *
CVE-2015-0532 HIGH

EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6.9.1 before P01 does not properly restrict password resets, which allows remote attackers to obtain access via crafted use of the reset process for an arbitrary valid account name, as demonstrated by a privileged account.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.0
emc rsa_identity_management_and_governance 6.9.1
CVE-2015-0538 HIGH

ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allows remote attackers to execute arbitrary commands via crafted packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc autostart *
CVE-2015-0540 MEDIUM

SQL injection vulnerability in the xAdmin interface in EMC Document Sciences xPression 4.2 before P44 and 4.5 SP1 before P03 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc document_sciences_xpression 4.5
emc document_sciences_xpression 4.2
CVE-2015-0542 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC RSA Archer GRC 5.5 SP1 before P3 allow remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5
CVE-2015-0543 MEDIUM

EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc secure_remote_services 3.02
emc secure_remote_services 3.03
emc secure_remote_services 3.04
CVE-2015-0544 HIGH

EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly generate random values for session cookies, which makes it easier for remote attackers to hijack sessions by predicting a value.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc secure_remote_services 3.02
emc secure_remote_services 3.03
emc secure_remote_services 3.04
CVE-2015-0545 HIGH

EMC Unisphere for VMAX 8.x before 8.0.3.4 sets up the Java Debugging Wire Protocol (JDWP) service, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc unisphere 8.0.3
emc unisphere 8.0.0
emc unisphere 8.0.1
emc unisphere 8.0.2
CVE-2015-0546 HIGH

EMC Unified Infrastructure Manager/Provisioning (UIM/P) 4.1 allows remote attackers to bypass LDAP authentication by providing a valid account name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc unified_infrastructure_manager/provisioning 4.1
CVE-2015-0547 MEDIUM

The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_d2 4.5
emc documentum_d2 4.2
emc documentum_d2 4.1
CVE-2015-0548 MEDIUM

The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_d2 4.5
emc documentum_d2 4.2
emc documentum_d2 4.1
CVE-2015-0549 LOW

Cross-site scripting (XSS) vulnerability in EMC Documentum D2 before 4.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_d2 *
CVE-2015-0550 HIGH

Directory traversal vulnerability in EMC Documentum Thumbnail Server 6.7SP1 before P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P01 allows remote attackers to bypass intended Content Server access restrictions via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc documentum_thumbnail_server 7.0
emc documentum_thumbnail_server 6.7
emc documentum_thumbnail_server 7.1
emc documentum_thumbnail_server 7.2
CVE-2015-0551 LOW

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_administrator 6.7
emc documentum_administrator 7.0
emc documentum_webtop 6.8
emc documentum_administrator 7.1
emc documentum_digital_asset_manager 6.5
emc documentum_administrator 7.2
emc documentum_taskspace 6.7
emc documentum_web_publisher 6.5
CVE-2015-4524 MEDIUM

Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allows remote authenticated users to execute arbitrary code by uploading a file to the backend Content Server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
emc documentum_webtop 6.7
emc documentum_administrator 6.7
emc documentum_administrator 7.0
emc documentum_webtop 6.8
emc documentum_administrator 7.1
emc documentum_digital_asset_manager 6.5
emc documentum_administrator 7.2
emc documentum_taskspace 6.7
emc documentum_web_publisher 6.5
CVE-2015-4525 HIGH

The log-gather implementation in the web administration interface in EMC Isilon OneFS 6.5.x.x through 7.1.1.x before 7.1.1.5 and 7.2.0.x before 7.2.0.2 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.1.1
emc isilon_onefs *
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.1.3
CVE-2015-4526 HIGH

EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to obtain root-shell access by bypassing the Installation Manager Boxmgmt CLI interface.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
emc recoverpoint_for_virtual_machines 4.2
CVE-2015-4527 HIGH

Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1.2 and Avamar Virtual Addition (AVE) 7.x before 7.1.2 allows remote attackers to read arbitrary files by using the Avamar Desktop/Laptop client interface to send crafted parameters.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc avamar_server 7.1
emc avamar_server_virtual_edition 7.1
CVE-2015-4528 LOW

Cross-site scripting (XSS) vulnerability in EMC Documentum CenterStage 1.2SP1 and 1.2SP2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_centerstage 1.2
CVE-2015-4529 MEDIUM

Open redirect vulnerability in EMC Documentum WebTop before 6.8P02, Documentum Administrator before 7.2P01, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc documentum_webtop *
emc documentum_digital_asset_manager *
emc documentum_administrator *
emc documentum_taskspace *
emc documentum_web_publisher *
CVE-2015-4530 MEDIUM

Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc documentum_webtop *
emc documentum_digital_asset_manager *
emc documentum_administrator *
emc documentum_taskspace *
emc documentum_web_publisher *
CVE-2015-4531 HIGH

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4532 HIGH

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2514.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4533 HIGH

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4534 HIGH

Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 allows remote authenticated users to execute arbitrary code by forging a signature for a query string that lacks the method_verb parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4535 HIGH

Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 6.7
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4536 LOW

EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_content_server 7.0
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4537 LOW

Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase when a server lacks a D2.Lockbox file, which makes it easier for remote authenticated users to decrypt admin tickets by locating this passphrase in a decompiled D2 JAR archive.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_d2 *
CVE-2015-4538 HIGH

The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc atmos 2.2.3
emc atmos 2.3.0
CVE-2015-4539 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identity Management & Governance (IMG) before 7.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance *
CVE-2015-4540 LOW

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identity Management & Governance (IMG) before 6.8.1 P18 and 6.9.x before 6.9.1 P6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance *
CVE-2015-4541 LOW

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer GRC 5.x before 5.5.3 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_archer_grc 5.5.0
emc rsa_archer_grc 5.5.2
emc rsa_archer_grc 5.5.1
CVE-2015-4542 MEDIUM

EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users to bypass intended access restrictions, and read or modify Discussion Forum Fields messages, via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc rsa_archer_grc 5.5.0
emc rsa_archer_grc 5.5.2
emc rsa_archer_grc 5.5.1
CVE-2015-4543 MEDIUM

EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored passwords in unspecified circumstances, which allows remote authenticated users to obtain sensitive information by reading database fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_grc 5.5.0
emc rsa_archer_grc 5.5.2
emc rsa_archer_grc 5.5.1
CVE-2015-4544 HIGH

EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 does not properly verify authorization for dm_job object access, which allows remote authenticated users to obtain superuser privileges via crafted object operations. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4626.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc documentum_content_server 7.1
emc documentum_content_server 7.2
CVE-2015-4545 HIGH

EMC Isilon OneFS 7.1 before 7.1.1.8, 7.2.0 before 7.2.0.4, and 7.2.1 before 7.2.1.1 allows remote authenticated administrators to bypass a SmartLock root-login restriction by creating a root account and establishing a login session.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.0.1
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.1.0.3
emc isilon_onefs *
emc isilon_onefs 7.1.0.2
emc isilon_onefs 7.1.0.4
emc isilon_onefs 7.1.1.0
CVE-2015-4546 HIGH

Directory traversal vulnerability in EMC RSA OneStep 6.9 before build 559, as used in RSA Certificate Manager and RSA Registration Manager through 6.9 build 558 and other products, allows remote attackers to read arbitrary files via a crafted KCSOSC_ERROR_PAGE parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc rsa_onestep *
emc rsa_certificate_manager *
CVE-2015-6843 MEDIUM

Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc sourceone_email_supervisor *
CVE-2015-6844 MEDIUM

Cross-site scripting (XSS) vulnerability in Reviewer in EMC SourceOne Email Supervisor before 7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc sourceone_email_supervisor *
CVE-2015-6845 HIGH

EMC SourceOne Email Supervisor before 7.2 does not properly employ random values for session IDs, which makes it easier for remote attackers to obtain access by guessing an ID.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc sourceone_email_supervisor *
CVE-2015-6846 MEDIUM

EMC SourceOne Email Supervisor before 7.2 uses hardcoded encryption keys, which makes it easier for attackers to obtain access by examining how a program's code conducts cryptographic operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
emc sourceone_email_supervisor *
CVE-2015-6847 LOW

The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 stores cleartext NAVISPHERE GUI passwords in a log file, which allows local users to obtain sensitive information by reading this file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.4
CVE-2015-6848 HIGH

EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2.1.x before 7.2.1.1, when the RFC 2307 feature is configured but SFU is not universally present, allows remote authenticated AD users to obtain root privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs *
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.1.3
CVE-2015-6849 HIGH

EMC NetWorker before 8.0.4.5, 8.1.x before 8.1.3.6, 8.2.x before 8.2.2.2, and 9.0 before build 407 allows remote attackers to cause a denial of service (process outage) via malformed RPC authentication messages.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc networker 8.1.1.3
emc networker 8.2.1.0
emc networker 8.1.3.1
emc networker 8.2.0.3
emc networker 8.2.2.0
emc networker 8.2.1.2
emc networker 8.1.2.1
emc networker 8.1.0.3
emc networker 8.2.0.2
emc networker 8.1.3.4
emc networker 8.2.2.1
emc networker 8.1.1.1
emc networker 8.2.1.1
emc networker 8.1.2.4
emc networker 8.1.0.1
emc networker 8.1.1.9
emc networker 8.1.2.0
emc networker 8.1.1.6
emc networker 8.2.1.4
emc networker 8.1.0.4
emc networker 8.2.0.4
emc networker 8.2.0.6
emc networker 8.1.2.6
emc networker 8.1.1.4
emc networker 8.1.2.5
emc networker 8.2.1.5
emc networker 8.0.4.4
emc networker 8.1.0.0
emc networker 8.1.3.2
emc networker 8.1.0.5
emc networker 8.1.2.3
emc networker 8.1.1.7
emc networker 8.1.1.8
emc networker 8.2.1.7
emc networker 8.2.1.3
emc networker 8.1.3.3
emc networker 8.2.1.6
emc networker 8.1.1.2
emc networker 8.1.3.0
emc networker 8.1.1.5
emc networker 8.2.0.1
emc networker 9.0.0.0
emc networker 8.1.1.0
emc networker 8.2.0.0
emc networker 8.2.0.5
emc networker 8.2.1.8
emc networker 8.1.0.2
emc networker 8.1.2.7
emc networker 8.1.2.2
CVE-2015-6850 HIGH

EMC VPLEX GeoSynchrony 5.4 SP1 before P3 and 5.5 before Patch 1 has a default password for the root account, which allows local users to gain privileges by leveraging a login session.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc vplex_geosynchrony 5.5
emc vplex_geosynchrony 5.4
CVE-2015-6852 MEDIUM

Directory traversal vulnerability in the API in EMC Secure Remote Services Virtual Edition 3.x before 3.10 allows remote authenticated users to read log files via a crafted parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc secure_remote_services 3.02
emc secure_remote_services 3.03
emc secure_remote_services 3.0
CVE-2016-0881 MEDIUM

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
emc documentum_xcp 2.1
emc documentum_xcp 2.2
CVE-2016-0882 MEDIUM

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc documentum_xcp 2.1
emc documentum_xcp 2.2
CVE-2016-0886 MEDIUM

EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows remote authenticated users to obtain sensitive user-account metadata via a members/xcp_member API call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc documentum_xcp 2.1
emc documentum_xcp 2.2
CVE-2016-0888 HIGH

EMC Documentum D2 before 4.6 lacks intended ACLs for configuration objects, which allows remote authenticated users to modify objects via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc documentum_d2 *
CVE-2016-0890 MEDIUM

EMC PowerPath Virtual (Management) Appliance 2.0, EMC PowerPath Virtual (Management) Appliance 2.0 SP1 is affected by a sensitive information disclosure vulnerability that may potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc powerpath_virtual_appliance 2.0
CVE-2016-0891 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-0892 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_data_loss_prevention 9.6
emc rsa_data_loss_prevention 9.6.1
emc rsa_data_loss_prevention 9.6.2
emc rsa_data_loss_prevention 9.6.2.4
emc rsa_data_loss_prevention 9.6.2.1
emc rsa_data_loss_prevention 9.6.2.2
emc rsa_data_loss_prevention 9.6.2.3
CVE-2016-0893 MEDIUM

EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authenticated users to obtain sensitive information by reading error messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_data_loss_prevention 9.6
emc rsa_data_loss_prevention 9.6.1
emc rsa_data_loss_prevention 9.6.2
emc rsa_data_loss_prevention 9.6.2.4
emc rsa_data_loss_prevention 9.6.2.1
emc rsa_data_loss_prevention 9.6.2.2
emc rsa_data_loss_prevention 9.6.2.3
CVE-2016-0894 MEDIUM

EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authenticated users to bypass intended object access restrictions via a modified parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
emc rsa_data_loss_prevention 9.6
emc rsa_data_loss_prevention 9.6.1
emc rsa_data_loss_prevention 9.6.2
emc rsa_data_loss_prevention 9.6.2.4
emc rsa_data_loss_prevention 9.6.2.1
emc rsa_data_loss_prevention 9.6.2.2
emc rsa_data_loss_prevention 9.6.2.3
CVE-2016-0895 MEDIUM

EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote attackers to conduct clickjacking attacks via web-site elements with crafted transparency or opacity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc rsa_data_loss_prevention 9.6
emc rsa_data_loss_prevention 9.6.1
emc rsa_data_loss_prevention 9.6.2
emc rsa_data_loss_prevention 9.6.2.4
emc rsa_data_loss_prevention 9.6.2.1
emc rsa_data_loss_prevention 9.6.2.2
emc rsa_data_loss_prevention 9.6.2.3
CVE-2016-0899 LOW

EMC RSA Archer GRC 5.5.x before 5.5.3.4 allows remote authenticated users to read the web.config.bak file, and obtain sensitive credential information, by modifying the IIS configuration to set a Content-Type header for .bak files.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.1.3
emc rsa_archer_egrc 5.5
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1
CVE-2016-0900 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-0901.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2016-0901 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-0900.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2016-0902 MEDIUM

CRLF injection vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2016-0903 MEDIUM

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 rely on client-side authentication, which allows remote attackers to spoof clients and read backup data via a modified client agent.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc avamar_server *
CVE-2016-0904 MEDIUM

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use the same encryption key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive client-server traffic information by leveraging knowledge of this key from another installation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-310,

Products Affected

Vendor Product Version
emc avamar_server *
CVE-2016-0905 HIGH

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 allow local users to obtain root privileges by leveraging admin access and entering a sudo command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc avamar_server *
CVE-2016-0906 MEDIUM

The web-restore interface in Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar through 7.1.2 and 7.2.x through 7.2.1 allows remote authenticated users to read or delete directories via a Linux backup-restore operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
emc avamar *
CVE-2016-0907 MEDIUM

EMC Isilon OneFS 7.1.x and 7.2.x before 7.2.1.3 and 8.0.x before 8.0.0.1, and IsilonSD Edge OneFS 8.0.x before 8.0.0.1, does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream, a similar issue to CVE-2016-2115.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.1.0.1
emc isilon_onefs 7.1.1.6
emc isilon_onefs 7.1.1.9
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.1.0.3
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 7.1.1.2
emc isilonsd_edge_onefs 8.0.0.0
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.0.2
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.0.4
emc isilon_onefs 7.1.1.0
emc isilon_onefs 7.1.1.5
CVE-2016-0908 MEDIUM

EMC Isilon OneFS 7.1.x before 7.1.1.9 and 7.2.x before 7.2.1.2 allows local users to obtain root shell access by leveraging administrative privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.3
emc isilon_onefs 7.2.0.4
emc isilon_onefs 7.2.0.5
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.5
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.0.1
emc isilon_onefs 7.1.1.6
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.1.0.2
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.0.4
emc isilon_onefs 7.1.1.0
CVE-2016-0909 HIGH

EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions 7.3 and older contain a vulnerability that may expose the Avamar servers to potentially be compromised by malicious users.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc avamar_server_virtual_edition *
emc avamar_data_store *
CVE-2016-0910 MEDIUM

EMC Data Domain OS 5.5 before 5.5.4.0, 5.6 before 5.6.1.004, and 5.7 before 5.7.2.0 stores session identifiers of GUI users in a world-readable file, which allows local users to hijack arbitrary accounts via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc data_domain_os *
CVE-2016-0913 HIGH

The client in EMC Replication Manager (RM) before 5.5.3.0_01-PatchHotfix, EMC Network Module for Microsoft 3.x, and EMC Networker Module for Microsoft 8.2.x before 8.2.3.6 allows remote RM servers to execute arbitrary commands by placing a crafted script in an SMB share.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc replication_manager *
emc networker_module_for_microsoft_applications *
emc networker_module_for_microsoft_applications 3.0.1
emc networker_module_for_microsoft_applications 3.0
CVE-2016-0914 MEDIUM

EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
emc documentum_administrator 7.0
emc documentum_capital_projects 1.9
emc documentum_webtop 6.8
emc documentum_administrator 7.1
emc documentum_webtop 6.8.1
emc documentum_administrator 7.2
emc documentum_capital_projects 1.10
emc documentum_taskspace 6.7
CVE-2016-0915 MEDIUM

The Self-Service Portal in EMC RSA Authentication Manager (AM) Prime Self-Service 3.0 and 3.1 before 3.1 1915.42871 allows remote authenticated users to cause a denial of service (PIN change for an arbitrary user) via a modified token serial number within a PIN change request, related to a "direct object reference vulnerability."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc authentication_manager_prime 3.1
emc authentication_manager_prime 3.0
CVE-2016-0916 HIGH

EMC NetWorker 8.2.1.x and 8.2.2.x before 8.2.2.6 and 9.x before 9.0.0.6 mishandles authentication, which allows remote attackers to execute arbitrary commands by leveraging access to a different NetWorker instance.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc networker *
CVE-2016-0917 HIGH

The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to 3.1.5.8711957 and VNXe3100/3150/3300 Operating Environment prior to 2.4.4.22638), VNX1 File OE before 7.1.80.3, VNX2 File OE before 8.1.9.155, and Celerra (all supported versions) does not prevent duplicate NTLM challenge-response nonces, which makes it easier for remote attackers to execute arbitrary code, or read or write to files, via a series of authentication requests, a related issue to CVE-2010-0231.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc vnxe_oe_firmware -
emc vnx1_oe_firmware -
emc vnx2_oe_firmware -
CVE-2016-0918 MEDIUM

EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance *
emc rsa_identity_management_and_governance 6.9.0
emc rsa_via_lifecycle_and_governance *
emc rsa_identity_management_and_governance 6.9.1
CVE-2016-0920 HIGH

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 allow local users to obtain root access via a crafted parameter to a command that is available in the sudo configuration.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc avamar_server *
CVE-2016-0921 MEDIUM

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use weak permissions for unspecified directories, which allows local users to obtain root access by replacing a script with a Trojan horse program.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc avamar_server *
CVE-2016-0922 MEDIUM

EMC ViPR SRM before 3.7.2 does not restrict the number of password-authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force guessing attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-0925 LOW

Cross-site scripting (XSS) vulnerability in the Case Management application in EMC RSA Adaptive Authentication (On-Premise) before 6.0.2.1.SP3.P4 HF210, 7.0.x and 7.1.x before 7.1.0.0.SP0.P6 HF50, and 7.2.x before 7.2.0.0.SP0.P0 HF20 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_adaptive_authentication_on-premise *
CVE-2016-6641 LOW

Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-6642 MEDIUM

Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to hijack the authentication of administrators for requests that upload files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-6643 MEDIUM

Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-6644 MEDIUM

EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows remote attackers to read arbitrary Docbase documents by leveraging knowledge of an r_object_id value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
emc documentum_d2 *
CVE-2016-6645 HIGH

The vApp Managers web application in EMC Unisphere for VMAX Virtual Appliance 8.x before 8.3.0 and Solutions Enabler Virtual Appliance 8.x before 8.3.0 allows remote authenticated users to execute arbitrary code via crafted input to the (1) GeneralCmdRequest, (2) PersistantDataRequest, or (3) GetCommandExecRequest class.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dell emc_unisphere 8.1
emc solutions_enabler 8.1
emc unisphere 8.0.3
dell emc_unisphere 8.1.2
emc solutions_enabler 8.0
emc solutions_enabler 8.0.3
dell emc_unisphere 8.2
emc solutions_enabler 8.2
dell emc_unisphere 8.0
emc solutions_enabler 8.1.2
CVE-2016-6646 HIGH

The vApp Managers web application in EMC Unisphere for VMAX Virtual Appliance 8.x before 8.3.0 and Solutions Enabler Virtual Appliance 8.x before 8.3.0 allows remote attackers to execute arbitrary code via crafted input to the (1) GetSymmCmdRequest or (2) RemoteServiceHandler class.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dell emc_unisphere 8.1
emc solutions_enabler 8.1
emc unisphere 8.0.3
dell emc_unisphere 8.1.2
emc solutions_enabler 8.0
emc solutions_enabler 8.0.3
emc solutions_enabler 8.3
dell emc_unisphere 8.2
dell emc_unisphere 8.0
emc solutions_enabler 8.1.2
CVE-2016-6647 LOW

Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc vipr_srm *
CVE-2016-6648 LOW

EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0 are affected by sensitive information disclosure vulnerability as a result of incorrect permissions set on a sensitive system file. A malicious administrator with configuration privileges may access this sensitive system file and compromise the affected system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-275,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2016-6649 HIGH

EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0 are affected by multiple command injection vulnerabilities where a malicious administrator with configuration privileges may bypass the user interface and escalate his privileges to root.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2016-6650 LOW

EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an SSL Stripping Vulnerability that may potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2016-8213 MEDIUM

EMC Documentum WebTop Version 6.8, prior to P18 and Version 6.8.1, prior to P06; and EMC Documentum TaskSpace version 6.7SP3, prior to P02; and EMC Documentum Capital Projects Version 1.9, prior to P30 and Version 1.10, prior to P17; and EMC Documentum Administrator Version 7.0, Version 7.1, and Version 7.2 prior to P18 contain a Stored Cross-Site Scripting Vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_administrator 7.0
emc documentum_capital_projects 1.9
emc documentum_webtop 6.8
emc documentum_administrator 7.1
emc documentum_webtop 6.8.1
emc documentum_administrator 7.2
emc documentum_capital_projects 1.10
emc documentum_taskspace 6.7
CVE-2016-8214 MEDIUM

EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions 7.3.0 and 7.3.1 contain a vulnerability that may allow malicious administrators to compromise Avamar servers.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-275,

Products Affected

Vendor Product Version
emc avamar_data_store 7.3.0
emc avamar_data_store 7.3.1
emc avamar_virtual_edition 7.3.0
emc avamar_virtual_edition 7.3.1
CVE-2016-8215 MEDIUM

EMC RSA Security Analytics 10.5.3 and 10.6.2 contains fixes for a Reflected Cross-Site Scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_security_analytics 10.6.1
emc rsa_security_analytics 10.5
emc rsa_security_analytics 10.5.1
emc rsa_security_analytics 10.6
emc rsa_security_analytics 10.5.2
CVE-2016-9867 MEDIUM

An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may be able to modify the kernel memory in the SCINI driver and may achieve code execution to escalate privileges to root on ScaleIO Data Client (SDC) servers.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc scaleio *
CVE-2016-9868 LOW

An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may cause a denial-of-service by generating a kernel panic in the SCINI driver using IOCTL calls which may render the ScaleIO Data Client (SDC) server unavailable until the next reboot.

CVSS 2.0

Severity: LOW

Problem Type: CWE-254,

Products Affected

Vendor Product Version
emc scaleio *
CVE-2016-9869 LOW

An issue was discovered in EMC ScaleIO versions before 2.0.1.1. Incorrect permissions on the SCINI driver may allow a low-privileged local attacker to modify the configuration and render the ScaleIO Data Client (SDC) server unavailable.

CVSS 2.0

Severity: LOW

Problem Type: CWE-275,

Products Affected

Vendor Product Version
emc scaleio *
CVE-2016-9870 HIGH

EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC Isilon OneFS 7.2.0.x, EMC Isilon OneFS 7.1.1.0 - 7.1.1.10, and EMC Isilon OneFS 7.1.0.x is affected by an LDAP injection vulnerability that could potentially be exploited by a malicious user to compromise the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-90,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.3
emc isilon_onefs 7.2.0.4
emc isilon_onefs 7.2.0.5
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.5
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.0.1
emc isilon_onefs 7.1.1.6
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 7.1.0.2
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.0.4
emc isilon_onefs 7.1.1.0
CVE-2016-9871 HIGH

EMC Isilon OneFS 7.2.1.0 - 7.2.1.3, EMC Isilon OneFS 7.2.0.x, EMC Isilon OneFS 7.1.1.0 - 7.1.1.10, EMC Isilon OneFS 7.1.0.x is affected by a privilege escalation vulnerability that could potentially be exploited by attackers to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.1.6
emc isilon_onefs 7.1.1.9
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.2.1.2
emc isilon_onefs 7.2.0.4
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.1.1.10
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.1.0
emc isilon_onefs 7.1.1.5
CVE-2016-9872 MEDIUM

EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has Reflected Cross-Site Scripting Vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc documentum_d2 4.5
emc documentum_d2 4.6
CVE-2016-9873 MEDIUM

EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has a DQL Injection Vulnerability that could potentially be exploited by malicious users to compromise the affected system. An authenticated low-privileged attacker could potentially exploit this vulnerability to access information, modify data or disrupt services by causing execution of arbitrary DQL commands on the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc documentum_d2 4.5
emc documentum_d2 4.6
CVE-2017-10955 HIGH

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Data Protection Advisor 6.3.0. Authentication is required to exploit this vulnerability. The specific flaw exists within the EMC DPA Application service, which listens on TCP port 9002 by default. When parsing the preScript parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. Was ZDI-CAN-4697. NOTE: Dell EMC disputes that this is a vulnerability

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-20,

Products Affected

Vendor Product Version
emc data_protection_advisor 6.3.0
CVE-2017-14373 MEDIUM

EMC RSA Authentication Manager 8.2 SP1 P4 and earlier contains a reflected cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2017-14375 HIGH

EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to 8.4.0.15, EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15, EMC VASA Virtual Appliance versions prior to 8.4.0.512, and EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier) contain an authentication bypass vulnerability that may potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-290,

Products Affected

Vendor Product Version
emc vasa *
emc vmax_emanagement *
dell emc_unisphere *
emc solutions_enabler *
CVE-2017-14376 HIGH

EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
emc appsync *
CVE-2017-14378 HIGH

EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agent SDK 8.6 for C allow attackers to bypass authentication, aka an "Error Handling Vulnerability."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_authentication_agent_sdk_for_c 8.6
emc rsa_authentication_agent_api_for_c 8.5
CVE-2017-14379 LOW

EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2017-14380 HIGH

In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2.1.0 - 7.2.1.5, 7.2.0.x, and 7.1.1.x, a malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace or isi_get_profile maintenance scripts to run any shell script as system root on a cluster in compliance mode. This could potentially lead to an elevation of privilege for the compadmin user and violate compliance mode.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.2.1.5
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 8.0.1.1
emc isilon_onefs 7.2.0.4
emc isilon_onefs 7.2.0.5
emc isilon_onefs 8.0.1.0
emc isilon_onefs 7.1.1.2
emc isilon_onefs 8.1.0.0
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.5
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs 8.0.0.1
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.2.1.4
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 8.0.0.4
emc isilon_onefs 8.0.0.2
emc isilon_onefs 8.0.0.3
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.1.0
CVE-2017-14385 MEDIUM

An issue was discovered in EMC Data Domain DD OS 5.7 family, versions prior to 5.7.5.6; EMC Data Domain DD OS 6.0 family, versions prior to 6.0.2.9; EMC Data Domain DD OS 6.1 family, versions prior to 6.1.0.21; EMC Data Domain Virtual Edition 2.0 family, all versions; EMC Data Domain Virtual Edition 3.0 family, versions prior to 3.0 SP2 Update 1; and EMC Data Domain Virtual Edition 3.1 family, versions prior to 3.1 Update 2. EMC Data Domain DD OS contains a memory overflow vulnerability in SMBv1 which may potentially be exploited by an unauthenticated remote attacker. An attacker may completely shut down both the SMB service and active directory authentication. This may also allow remote code injection and execution.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc data_domain 2.0
emc data_domain_os *
emc data_domain 3.0
emc data_domain 3.1
CVE-2017-14387 MEDIUM

The NFS service in EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, and 8.0.0.0 - 8.0.0.4 maintains default NFS export settings (including the NFS export security flavor for authentication) that can be leveraged by current and future NFS exports. This NFS service contained a flaw that did not properly propagate changes made to the default security flavor to all new and existing NFS exports that are configured to use default NFS export settings and that are mounted after those changes are made. This flaw may potentially allow NFS clients to access affected NFS exports using the default and potentially weaker security flavor even if a more secure one was selected to be used by the OneFS administrator, aka an "NFS Export Security Setting Fallback Vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc isilon_onefs 8.0.0.1
emc isilon_onefs 8.1.0.0
emc isilon_onefs 8.0.0.3
emc isilon_onefs 8.0.1.1
emc isilon_onefs 8.0.0.0
emc isilon_onefs 8.0.0.4
emc isilon_onefs 8.0.0.2
emc isilon_onefs 8.0.1.0
CVE-2017-15546 MEDIUM

The Security Console in EMC RSA Authentication Manager 8.2 SP1 P6 and earlier is affected by a blind SQL injection vulnerability. Authenticated malicious users could potentially exploit this vulnerability to read any unencrypted data from the database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
emc rsa_authentication_manager 8.2
CVE-2017-15548 HIGH

An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0; EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x; and EMC Integrated Data Protection Appliance 2.0. A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc avamar_server 7.3-226
emc avamar_server 7.2-32
emc avamar_server 7.4-58
emc avamar_server 7.3-211
emc avamar_server 7.3-233
emc networker 9.0
emc avamar_server 7.1-370
emc integrated_data_protection_appliance 2.0
emc networker 9.1
emc avamar_server 7.2-309
emc avamar_server 7.1-145
emc networker 9.2
emc avamar_server 7.4-242
emc avamar_server 7.3-125
emc avamar_server 7.1-302
emc avamar_server 7.2-401
emc avamar_server 7.5-183
emc avamar_server 7.1-21
CVE-2017-15549 HIGH

An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0; EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x; and EMC Integrated Data Protection Appliance 2.0. A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
emc avamar_server 7.3-226
emc avamar_server 7.2-32
emc avamar_server 7.4-58
emc avamar_server 7.3-211
emc avamar_server 7.3-233
emc networker 9.0
emc avamar_server 7.1-370
emc integrated_data_protection_appliance 2.0
emc networker 9.1
emc avamar_server 7.2-309
emc avamar_server 7.1-145
emc networker 9.2
emc avamar_server 7.4-242
emc avamar_server 7.3-125
emc avamar_server 7.1-302
emc avamar_server 7.2-401
emc avamar_server 7.5-183
emc avamar_server 7.1-21
CVE-2017-15550 HIGH

An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0; EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x; and EMC Integrated Data Protection Appliance 2.0. A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application via Path traversal.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc avamar_server 7.3-226
emc avamar_server 7.2-32
emc avamar_server 7.4-58
emc avamar_server 7.3-211
emc avamar_server 7.3-233
emc networker 9.0
emc avamar_server 7.1-370
emc integrated_data_protection_appliance 2.0
emc networker 9.1
emc avamar_server 7.2-309
emc avamar_server 7.1-145
emc networker 9.2
emc avamar_server 7.4-242
emc avamar_server 7.3-125
emc avamar_server 7.1-302
emc avamar_server 7.2-401
emc avamar_server 7.5-183
emc avamar_server 7.1-21
CVE-2017-2765 HIGH

EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.1, 3.0.0 is affected by an authentication bypass vulnerability that could potentially be exploited by attackers to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc isilon_insightiq 3.1.0
emc isilon_insightiq 4.1.0
emc isilon_insightiq 3.0.0
emc isilon_insightiq 3.2.2
emc isilon_insightiq 3.1.1
emc isilon_insightiq 4.0.0
emc isilon_insightiq 4.0.1
emc isilon_insightiq 3.2.1
emc isilon_insightiq 3.0.1
emc isilon_insightiq 3.2.0
CVE-2017-2766 HIGH

EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 SP1, EMC Documentum eRoom version prior to 7.4.5 P04, EMC Documentum eRoom version prior to 7.5.0 P01 includes an unverified password change vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-640,

Products Affected

Vendor Product Version
emc documentum_eroom 7.4.4
emc documentum_eroom 7.5.0
emc documentum_eroom 7.4.5
CVE-2017-2767 HIGH

EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains a Java RMI Remote Code Execution vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager 9.4
emc smarts_network_configuration_manager 9.3
emc smarts_network_configuration_manager 9.4.2
emc smarts_network_configuration_manager 9.4.1
CVE-2017-2768 HIGH

EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains an Improper Authentication vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager 9.4
emc smarts_network_configuration_manager 9.3
emc smarts_network_configuration_manager 9.4.2
emc smarts_network_configuration_manager 9.4.1
CVE-2017-3757 HIGH

An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-428,

Products Affected

Vendor Product Version
emc elan_touchpad_driver *
CVE-2017-4976 HIGH

EMC ESRS Policy Manager prior to 6.8 contains an undocumented account (OpenDS admin) with a default password. A remote attacker with the knowledge of the default password may login to the system and gain administrator privileges to the local LDAP directory server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
emc esrs_policy_manager *
CVE-2017-4977 LOW

EMC RSA Archer Security Operations Management with RSA Unified Collector Framework versions prior to 1.3.1.52 contain a sensitive information disclosure vulnerability that could potentially be exploited by malicious users to compromise an affected system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_security_operations_management *
CVE-2017-4979 MEDIUM

EMC Isilon OneFS 8.0.1.0, OneFS 8.0.0.0 - 8.0.0.2, OneFS 7.2.1.0 - 7.2.1.3, and OneFS 7.2.0.x is affected by an NFS export vulnerability. Under certain conditions, after upgrading a cluster from OneFS 7.1.1.x or earlier, users may have unexpected levels of access to some NFS exports.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc isilon_onefs 7.2.0.2
emc isilon_onefs 8.0.0.1
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 8.0.0.2
emc isilon_onefs 8.0.1.0
CVE-2017-4980 MEDIUM

EMC Isilon OneFS is affected by a path traversal vulnerability that may potentially be exploited by attackers to compromise the affected system. Affected versions are 7.1.0 - 7.1.1.10, 7.2.0 - 7.2.1.3, and 8.0.0 - 8.0.0.1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.1.1.9
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.2.0.4
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.1.1.10
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.5
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.1.6
emc isilon_onefs 8.0.0.1
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.1.0
CVE-2017-4982 HIGH

EMC Mainframe Enablers ResourcePak Base versions 7.6.0, 8.0.0, and 8.1.0 contains a fix for a privilege management vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
emc mainframe_enablers_resourcepak_base 7.6.0
emc mainframe_enablers_resourcepak_base 8.0.0
emc mainframe_enablers_resourcepak_base 8.1.0
CVE-2017-4984 HIGH

In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, an unauthenticated remote attacker may be able to elevate their permissions to root through a command injection. This may potentially be exploited by an attacker to run arbitrary code with root-level privileges on the targeted VNX Control Station system, aka remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
emc vnx2_firmware -
emc vnx1_firmware -
CVE-2017-4985 HIGH

In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user may potentially escalate their privileges to root due to authorization checks not being performed on certain perl scripts. This may potentially be exploited by an attacker to run arbitrary commands as root on the targeted VNX Control Station system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
emc vnx2_firmware -
emc vnx1_firmware -
CVE-2017-4986 MEDIUM

EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc secure_remote_services 3.18
CVE-2017-4987 MEDIUM

In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user can load a maliciously crafted file in the search path which may potentially allow the attacker to execute arbitrary code on the targeted VNX Control Station system, aka an uncontrolled search path vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
emc vnx2_firmware -
emc vnx1_firmware -
CVE-2017-4988 HIGH

EMC Isilon OneFS 8.0.1.0, 8.0.0 - 8.0.0.3, 7.2.0 - 7.2.1.4, 7.1.x is affected by a privilege escalation vulnerability that could potentially be exploited by attackers to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc isilon_onefs 7.1.1.4
emc isilon_onefs 7.1.0.0
emc isilon_onefs 7.1.1.8
emc isilon_onefs 7.1.1.9
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.0.0
emc isilon_onefs 7.2.0.4
emc isilon_onefs 8.0.1.0
emc isilon_onefs 7.1.1.2
emc isilon_onefs 7.1.0.6
emc isilon_onefs 7.1.1.7
emc isilon_onefs 7.1.1.11
emc isilon_onefs 7.2.0.1
emc isilon_onefs 7.1.1.10
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.1.1.5
emc isilon_onefs 7.1.1.1
emc isilon_onefs 7.2.0.2
emc isilon_onefs 7.1.1.6
emc isilon_onefs 8.0.0.1
emc isilon_onefs 7.2.0.3
emc isilon_onefs 7.2.1.4
emc isilon_onefs 7.1.0.5
emc isilon_onefs 7.2.1.2
emc isilon_onefs 8.0.0.0
emc isilon_onefs 8.0.0.2
emc isilon_onefs 8.0.0.3
emc isilon_onefs 7.1.1.3
emc isilon_onefs 7.1.1.0
CVE-2017-4989 HIGH

In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc avamar_server 7.3.1-125
emc avamar_server 7.2.0-401
emc avamar_server 7.2.1-32
emc avamar_server 7.2.1-31
emc avamar_server 7.3.0-226
emc avamar_server 7.3.0-233
CVE-2017-4990 HIGH

In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-233, 7.3.0-226, an unauthorized attacker may leverage the file upload feature of the system maintenance page to load a maliciously crafted file to any directory which could allow the attacker to execute arbitrary code on the Avamar Server system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
emc avamar_server 7.3.1-125
emc avamar_server 7.4.0-242
emc avamar_server 7.3.0-226
emc avamar_server 7.4.1-58
emc avamar_server 7.3.0-233
CVE-2017-4998 MEDIUM

EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is potentially affected by a cross-site request forgery vulnerability. A remote low privileged attacker may potentially exploit the vulnerability to execute unauthorized requests on behalf of the victim, using the authenticated user's privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.3.1
emc rsa_archer_egrc 5.5.2
emc rsa_archer_egrc 5.5.1.3.1
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1.1
emc rsa_archer_egrc 5.4.1.3
CVE-2017-4999 MEDIUM

EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an authorization bypass through user-controlled key vulnerability in Discussion Forum Messages. A remote low privileged attacker may potentially exploit this vulnerability to elevate their privileges and view other users' discussion forum messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.3.1
emc rsa_archer_egrc 5.5.2
emc rsa_archer_egrc 5.5.1.3.1
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1.1
emc rsa_archer_egrc 5.4.1.3
CVE-2017-5000 MEDIUM

EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.3.1
emc rsa_archer_egrc 5.5.2
emc rsa_archer_egrc 5.5.1.3.1
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1.1
emc rsa_archer_egrc 5.4.1.3
CVE-2017-5001 MEDIUM

EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.3.1
emc rsa_archer_egrc 5.5.2
emc rsa_archer_egrc 5.5.1.3.1
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1.1
emc rsa_archer_egrc 5.4.1.3
CVE-2017-5002 MEDIUM

EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the RSA Archer application without the victims realizing an attack occurred.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
emc rsa_archer_egrc 5.5.3.1
emc rsa_archer_egrc 5.5.2
emc rsa_archer_egrc 5.5.1.3.1
emc rsa_archer_egrc 5.5.2.3
emc rsa_archer_egrc 5.5.1.1
emc rsa_archer_egrc 5.4.1.3
CVE-2017-5003 MEDIUM

EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Reflected Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.1
CVE-2017-5004 LOW

EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all patch levels); RSA Via Lifecycle and Governance version 7.0 (all patch levels); and RSA Identity Management and Governance (IMG) version 6.9.1 (all patch levels) have Stored Cross Site Scripting vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.1
CVE-2017-8000 LOW

In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA Security Console Administrator could craft a token profile and store the profile name in the RSA Authentication Manager database. The profile name could include a crafted script (with an XSS payload) that could be executed when viewing or editing the assigned token profile in the token by another administrator's browser session.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2017-8002 MEDIUM

EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL injection vulnerabilities. A remote authenticated attacker may potentially exploit these vulnerabilities to gain information about the application by causing execution of arbitrary SQL commands.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc data_protection_advisor *
CVE-2017-8003 MEDIUM

EMC Data Protection Advisor prior to 6.4 contains a path traversal vulnerability. A remote authenticated high privileged user may potentially exploit this vulnerability to access unauthorized information from the underlying OS server by supplying specially crafted strings in input parameters of the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc data_protection_advisor *
CVE-2017-8004 MEDIUM

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) allow an application administrator to upload arbitrary files that may potentially contain a malicious code. The malicious file could be then executed on the affected system with the privileges of the user the application is running under.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1.14
emc rsa_identity_management_and_governance 6.9.1.24
emc rsa_identity_management_and_governance 6.9.1.13
emc rsa_identity_management_and_governance 6.9.1.3
emc rsa_identity_management_and_governance 6.9.1.20
emc rsa_identity_management_and_governance 6.9.1.15
rsa rsa_via_lifecycle_and_governance 7.0.0.3
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_governance_and_lifecycle 7.0.2.1
emc rsa_identity_management_and_governance 6.9.1.18
emc rsa_identity_management_and_governance 6.9.1.16
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_management_and_governance 6.9.1.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.1.23
rsa rsa_via_lifecycle_and_governance 7.0.0.5
emc rsa_identity_governance_and_lifecycle 7.0.1.1
emc rsa_identity_governance_and_lifecycle 7.0.1.3
emc rsa_identity_management_and_governance 6.9.1.22
emc rsa_identity_management_and_governance 6.9.1.9
emc rsa_identity_management_and_governance 6.9.1.12
rsa rsa_via_lifecycle_and_governance 7.0.0.2
emc rsa_identity_management_and_governance 6.9.1.10
emc rsa_identity_management_and_governance 6.9.1.5
emc rsa_identity_management_and_governance 6.9.1.7
emc rsa_identity_management_and_governance 6.9.1.17
emc rsa_identity_governance_and_lifecycle 7.0.1.2
rsa rsa_via_lifecycle_and_governance 7.0.0.1
emc rsa_identity_management_and_governance 6.9.1.19
emc rsa_identity_management_and_governance 6.9.1.11
emc rsa_identity_management_and_governance 6.9.1.8
rsa rsa_via_lifecycle_and_governance 7.0.0.4
emc rsa_identity_management_and_governance 6.9.1.4
emc rsa_identity_management_and_governance 6.9.1.2
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_management_and_governance 6.9.1.21
emc rsa_identity_management_and_governance 6.9.1.6
CVE-2017-8005 LOW

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) are affected by multiple stored cross-site scripting vulnerabilities. Remote authenticated malicious users could potentially inject arbitrary HTML code to the application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_management_and_governance 6.9.1.14
emc rsa_identity_management_and_governance 6.9.1.24
emc rsa_identity_management_and_governance 6.9.1.13
emc rsa_identity_management_and_governance 6.9.1.3
emc rsa_identity_management_and_governance 6.9.1.20
emc rsa_identity_management_and_governance 6.9.1.15
rsa rsa_via_lifecycle_and_governance 7.0.0.3
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_governance_and_lifecycle 7.0.2.1
emc rsa_identity_management_and_governance 6.9.1.18
emc rsa_identity_management_and_governance 6.9.1.16
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_management_and_governance 6.9.1.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.1.23
rsa rsa_via_lifecycle_and_governance 7.0.0.5
emc rsa_identity_governance_and_lifecycle 7.0.1.1
emc rsa_identity_governance_and_lifecycle 7.0.1.3
emc rsa_identity_management_and_governance 6.9.1.22
emc rsa_identity_management_and_governance 6.9.1.9
emc rsa_identity_management_and_governance 6.9.1.12
rsa rsa_via_lifecycle_and_governance 7.0.0.2
emc rsa_identity_management_and_governance 6.9.1.10
emc rsa_identity_management_and_governance 6.9.1.5
emc rsa_identity_management_and_governance 6.9.1.7
emc rsa_identity_management_and_governance 6.9.1.17
emc rsa_identity_governance_and_lifecycle 7.0.1.2
rsa rsa_via_lifecycle_and_governance 7.0.0.1
emc rsa_identity_management_and_governance 6.9.1.19
emc rsa_identity_management_and_governance 6.9.1.11
emc rsa_identity_management_and_governance 6.9.1.8
rsa rsa_via_lifecycle_and_governance 7.0.0.4
emc rsa_identity_management_and_governance 6.9.1.4
emc rsa_identity_management_and_governance 6.9.1.2
emc rsa_identity_management_and_governance 6.9.1
emc rsa_identity_management_and_governance 6.9.1.21
emc rsa_identity_management_and_governance 6.9.1.6
CVE-2017-8006 MEDIUM

In EMC RSA Authentication Manager 8.2 SP1 Patch 1 and earlier, a malicious user logged into the Self-Service Console of RSA Authentication Manager as a target user can use a brute force attack to attempt to identify that user's PIN. The malicious user could potentially reset the compromised PIN to affect victim's ability to obtain access to protected resources.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2017-8013 HIGH

EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
emc data_protection_advisor 6.4.0
emc data_protection_advisor 6.3.0
CVE-2017-8015 HIGH

EMC AppSync (all versions prior to 3.5) contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
emc appsync *
CVE-2017-8016 LOW

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Questionnaire ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc archer_grc_platform *
CVE-2017-8017 MEDIUM

EMC Network Configuration Manager (NCM) 9.3.x, 9.4.0.x, 9.4.1.x, and 9.4.2.x is affected by a reflected cross-site scripting Vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc smarts_network_configuration_manager 9.4
emc smarts_network_configuration_manager 9.3
emc smarts_network_configuration_manager 9.4.2
emc smarts_network_configuration_manager 9.4.1
CVE-2017-8018 MEDIUM

EMC AppSync host plug-in versions 3.5 and below (Windows platform only) includes a denial of service (DoS) vulnerability that could potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc appsync *
CVE-2017-8019 MEDIUM

An issue was discovered in EMC ScaleIO 2.0.1.x. A vulnerability in message parsers (MDM, SDS, and LIA) could potentially allow an unauthenticated remote attacker to send specifically crafted packets to stop ScaleIO services and cause a denial of service situation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc scaleio 2.0.1.3
emc scaleio 2.0.1.1
emc scaleio 2.0.1.2
emc scaleio 2.0.1.0
CVE-2017-8020 HIGH

An issue was discovered in EMC ScaleIO 2.0.1.x. A buffer overflow vulnerability in the SDBG service may potentially allow a remote unauthenticated attacker to execute arbitrary commands with root privileges on an affected server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc scaleio 2.0.1.3
emc scaleio 2.0.1.1
emc scaleio 2.0.1.2
emc scaleio 2.0.1.0
CVE-2017-8022 MEDIUM

An issue was discovered in EMC NetWorker (prior to 8.2.4.9, all supported 9.0.x versions, prior to 9.1.1.3, prior to 9.2.0.4). The Server service (nsrd) is affected by a buffer overflow vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to execute arbitrary code on vulnerable installations of the software, or cause a denial of service, depending on the target system's platform.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
emc networker 9.1.0.4
emc networker *
emc networker 9.2.0.1
emc networker 9.0.0.6
emc networker 9.0.1.1
emc networker 9.0.0.5
emc networker 9.0.1.5
emc networker 9.0.1.9
emc networker 9.0.1.8
emc networker 9.0.1.2
emc networker 9.0.0.3
emc networker 9.1.0.6
emc networker 9.1.0.5
emc networker 9.0.0.7
emc networker 9.0.1.7
emc networker 9.1.0.3
emc networker 9.0.1.3
emc networker 9.0.1.4
emc networker 9.2.0.2
emc networker 9.1.1.1
emc networker 9.2.0.3
emc networker 9.1.1.2
emc networker 9.0.0.4
emc networker 9.0.1.6
emc networker 9.0.0.8
CVE-2017-8024 MEDIUM

EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2, versions prior to 8.0.0.6, version 7.2.1.x) is impacted by a reflected cross-site scripting vulnerability that may potentially be exploited by malicious users to compromise the affected system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc isilon_onefs 7.2.1.5
emc isilon_onefs *
emc isilon_onefs 7.2.1.3
emc isilon_onefs 7.2.1.0
emc isilon_onefs 7.2.1.4
emc isilon_onefs 7.2.1.1
emc isilon_onefs 7.2.1.2
emc isilon_onefs 7.2.1.6
CVE-2017-8025 MEDIUM

RSA Archer GRC Platform prior to 6.2.0.5 is affected by an arbitrary file upload vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to upload malicious files via attachments to arbitrary paths on the web server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc archer_grc_platform *
CVE-2018-11049 MEDIUM

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_management_and_governance 6.9.0
emc rsa_identity_governance_and_lifecycle 7.1.0
emc rsa_identity_management_and_governance 6.9.1
CVE-2018-11051 MEDIUM

RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564 contain a path traversal vulnerability in the RSA CMP Enroll Server and the RSA REST Enroll Server. A remote unauthenticated attacker could potentially exploit this vulnerability by manipulating input parameters of the application to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
emc rsa_certificate_manager *
CVE-2018-11061 HIGH

RSA NetWitness Platform versions prior to 11.1.0.2 and RSA Security Analytics versions prior to 10.6.6 are vulnerable to a server-side template injection vulnerability due to insecure configuration of the template engine used in the product. A remote authenticated malicious RSA NetWitness Server user with an Admin or Operator role could exploit this vulnerability to execute arbitrary commands on the server with root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_netwitness *
emc rsa_security_analytics *
CVE-2018-11071 MEDIUM

Dell EMC Isilon OneFS versions 7.1.1.x, 7.2.1.x, 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 and Dell EMC IsilonSD Edge versions 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 contain a remote process crash vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the isi_drive_d process by sending specially crafted input data to the affected system. This process will then be restarted.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
emc isilon_onefs *
emc isilonsd_edge *
CVE-2018-11073 LOW

RSA Authentication Manager versions prior to 8.3 P3 contain a stored cross-site scripting vulnerability in the Operations Console. A malicious Operations Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-11074 MEDIUM

RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-11075 LOW

RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rsa authentication_manager *
emc rsa_authentication_manager 8.3
CVE-2018-11079 LOW

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains a Plaintext Password Storage vulnerability. Database credentials are stored in plaintext in a configuration file. An authenticated malicious user with access to the configuration file may obtain the exposed password to gain access to the application database.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
emc secure_remote_services *
CVE-2018-11080 MEDIUM

Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains Improper File Permission Vulnerabilities. The application contains multiple configuration files with world-readable permissions that could allow an authenticated malicious user to utilize the file contents to potentially elevate their privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
emc secure_remote_services *
CVE-2018-1182 HIGH

An issue was discovered in EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels (hardware appliance and software bundle deployments only); RSA Via Lifecycle and Governance version 7.0, all patch levels (hardware appliance and software bundle deployments only); RSA Identity Management & Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (hardware appliance and software bundle deployments only). It allows certain OS level users to execute arbitrary scripts with root level privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
rsa rsa_via_lifecycle_and_governance 7.0
emc rsa_identity_management_and_governance 6.9.0
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_governance_and_lifecycle 7.0.2
emc rsa_identity_management_and_governance 6.9.1
CVE-2018-1206 HIGH

Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
emc data_protection_advisor 6.4.0
emc data_protection_advisor 6.3.0
CVE-2018-1219 MEDIUM

EMC RSA Archer, versions prior to 6.2.0.8, contains an improper access control vulnerability on an API which is used to enumerate user information. A remote authenticated malicious user can potentially exploit this vulnerability to gather information about the user base and may use this information in subsequent attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_archer *
CVE-2018-1220 MEDIUM

EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect vulnerability in the QuickLinks feature. A remote attacker may potentially exploit this vulnerability to redirect genuine users to phishing websites with the intent of obtaining sensitive information from the users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
emc rsa_archer *
CVE-2018-1235 HIGH

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2018-1240 LOW

Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through multicast. A malicious user, having access to the vCloud subnet where ViPR is deployed, could potentially sniff the password and use it to take over the cluster's virtual IP and cause a denial of service on that ViPR Controller system.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc vipr_controller *
CVE-2018-1241 MEDIUM

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, under certain conditions, may leak LDAP password in plain-text into the RecoverPoint log file. An authenticated malicious user with access to the RecoverPoint log files may obtain the exposed LDAP password to use it in further attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2018-1242 MEDIUM

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI. An authenticated malicious user with boxmgmt privileges may potentially exploit this vulnerability to read RPA files. Note that files that require root permission cannot be read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2018-1245 HIGH

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
emc rsa_identity_governance_and_lifecycle 7.1.0
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_governance_and_lifecycle 7.0.2
CVE-2018-1253 MEDIUM

RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
emc rsa_authentication_manager 8.1
emc rsa_authentication_manager 8.2
emc rsa_authentication_manager 8.3
emc rsa_authentication_manager 7.1
emc rsa_authentication_manager 8.0
CVE-2018-1254 MEDIUM

RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager *
CVE-2018-1255 MEDIUM

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
emc rsa_identity_governance_and_lifecycle 7.1.0
emc rsa_identity_governance_and_lifecycle 7.0.1
emc rsa_identity_governance_and_lifecycle 7.0.2
CVE-2018-15764 HIGH

Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote code execution vulnerability due to improper configurations of triggered JMX services. A remote unauthenticated attacker may potentially exploit this vulnerability to execute arbitrary code in the server's JVM.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc esrs_policy_manager *
CVE-2018-15771 MEDIUM

Dell EMC RecoverPoint versions prior to 5.1.2.1 and RecoverPoint for VMs versions prior to 5.2.0.2 contain an information disclosure vulnerability. A malicious boxmgmt user may potentially be able to determine the existence of any system file via Boxmgmt CLI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
emc recoverpoint *
emc recoverpoint_for_virtual_machines *
CVE-2019-18574 LOW

RSA Authentication Manager software versions prior to 8.4 P8 contain a stored cross-site scripting vulnerability in the Security Console. A malicious Security Console administrator could exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface which could then be included in a report. When other Security Console administrators open the affected report, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
rsa authentication_manager *
CVE-2019-3711 MEDIUM

RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
rsa authentication_manager *
CVE-2019-3732 MEDIUM

RSA BSAFE Crypto-C Micro Edition, versions prior to 4.0.5.3 (in 4.0.x) and versions prior to 4.1.3.3 (in 4.1.x), and RSA Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) versions prior to 4.1.6.1 (in 4.1.x) and versions prior to 4.3.3 (4.2.x and 4.3.x) are vulnerable to an Information Exposure Through Timing Discrepancy. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-385,CWE-203,

Products Affected

Vendor Product Version
dell bsafe_crypto-c-micro-edition *
dell bsafe_micro-edition-suite *
emc rsa_bsafe_crypto-c *
CVE-2019-3733 MEDIUM

RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vulnerable to three (3) different Improper Clearing of Heap Memory Before Release vulnerability, also known as 'Heap Inspection vulnerability'. A malicious remote user could potentially exploit this vulnerability to extract information leaving data at risk of exposure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-316,CWE-459,

Products Affected

Vendor Product Version
dell bsafe_crypto-c-micro-edition *
emc rsa_bsafe_crypto-c *
CVE-2019-3768 MEDIUM

RSA Authentication Manager versions prior to 8.4 P7 contain an XML Entity Injection Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to cause information disclosure of local system files by supplying specially crafted XML message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
emc rsa_authentication_manager *
CVE-2020-5339 LOW

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
emc rsa_authentication_manager *
CVE-2020-5340 LOW

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators attempt to change the default security domain mapping, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
emc rsa_authentication_manager *
CVE-2020-5346 LOW

RSA Authentication Manager versions prior to 8.4 P11 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected page, the injected scripts could potentially be executed in their browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
security_alert@emc.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
emc rsa_authentication_manager 8.4
emc rsa_authentication_manager *
CVE-2023-32458

Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this vulnerability during installation leading to a privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security_alert@emc.com 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
emc appsync *
CVE-2024-0454

ELAN Match-on-Chip FPR solution has design fault about potential risk of valid SID leakage and enumeration with spoof sensor. This fault leads to that Windows Hello recognition would be bypass with cloning SID to cause broken account identity. Version which is lower than 3.0.12011.08009(Legacy)/3.3.12011.08103(ESS) would suffer this risk on DELL Inspiron platform.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
36106deb-8e95-420b-a0a0-e70af5d245df 6.0 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L 0.5 5.5
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 0.9 5.2

Products Affected

Vendor Product Version
emc elan_match-on-chip_fpr_solution_firmware 3.0.12011.08009
emc elan_match-on-chip_fpr_solution_firmware 3.3.12011.08103