Vulnerability CVE-2013-6173 - CERT Civis.Net

Vulnerability Name:

CVE-2013-6173 (CCN-89073)

Assigned:

2013-11-19

Published:

2013-11-19

Updated:

2015-07-22

Summary:

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to hijack the authentication of administrators for requests that perform administrative actions in (1) xAdmin or (2) xDashboard.

CVSS v3 Severity:

8.6 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): High Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

8.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:C/A:P)
7.2 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:C/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Complete Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: BUGTRAQ
Type: UNKNOWN
20131119 ESA-2013-078: EMC Document Sciences xPression Multiple Vulnerabilities

Source: CCN
Type: ESA-2013-078
EMC Document Sciences xPression Multiple Vulnerabilities

Source: MITRE
Type: CNA
CVE-2013-6173

Source: OSVDB
Type: UNKNOWN
99985

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/124070/EMC-Document-Sciences-xPression-XSS-CSRF-Redirect-SQL-Injection.html

Source: CCN
Type: US-CERT VU#346982
EMC Document Sciences xPression contains multiple vulnerabilities

Source: CERT-VN
Type: US Government Resource
VU#346982

Source: CCN
Type: OSVDB ID: 99985
EMC Document Sciences xPression Unspecified Admin Actions CSRF

Source: CCN
Type: BID-63807
EMC Document Sciences xPression CVE-2013-6173 Multiple Cross Site Request Forgery Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1029384

Source: XF
Type: UNKNOWN
emc-xpression-cve20136173-csrf(89073)

Vulnerable Configuration:

Configuration 1:

cpe:/a:emc:document_sciences_xpression:4.1:sp1:-:*:documentum:*:*:*

OR cpe:/a:emc:document_sciences_xpression:4.2:-:-:*:documentum:*:*:*

OR cpe:/a:emc:document_sciences_xpression:4.5:-:-:*:documentum:*:*:*

Configuration 2:

cpe:/a:emc:document_sciences_xpression:4.1:sp1:-:*:enterprise:-:-:publish_engine

OR cpe:/a:emc:document_sciences_xpression:4.2:-:-:*:enterprise:-:-:publish_engine

OR cpe:/a:emc:document_sciences_xpression:4.5:-:-:*:enterprise:-:-:publish_engine

Configuration 3:

cpe:/a:emc:document_sciences_xpression:4.1:sp1:-:*:enterprise:-:-:compuset_engine

OR cpe:/a:emc:document_sciences_xpression:4.2:-:-:*:enterprise:-:-:compuset_engine

OR cpe:/a:emc:document_sciences_xpression:4.5:-:-:*:enterprise:-:-:compuset_engine

Configuration CCN 1:

cpe:/a:emc:document_sciences_xpression:4.2:-:-:*:enterprise:-:-:compuset_engine

OR cpe:/a:emc:document_sciences_xpression:4.5:-:-:*:documentum:*:*:*

OR cpe:/a:emc:document_sciences_xpression:4.2:-:-:*:documentum:*:*:*

OR cpe:/a:emc:document_sciences_xpression:4.5:-:-:*:documentum:*:*:*

Denotes that component is vulnerable