Vulnerability Name:

CVE-2014-3138 (CCN-92548)

Assigned:2014-04-15
Published:2014-04-15
Updated:2017-08-29
Summary:SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/.
Note: some of these details are obtained from third party information.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
5.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-89
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2014-3138

Source: CCN
Type: Xerox Docushare Web site
Document Management | Xerox Docushare

Source: MISC
Type: Exploit
http://packetstormsecurity.com/files/126171/Xerox-DocuShare-SQL-Injection.html

Source: FULLDISC
Type: UNKNOWN
20140415 Xerox DocuShare authenticated SQL injection

Source: CCN
Type: SA57996
Xerox DocuShare URL SQL Injection Vulnerability

Source: SECUNIA
Type: Vendor Advisory
57996

Source: EXPLOIT-DB
Type: Exploit
32886

Source: OSVDB
Type: UNKNOWN
105972

Source: BID
Type: Exploit
66922

Source: CCN
Type: BID-66922
Xerox DocuShare '/docushare/dsweb/ResultBackgroundJobMultiple/1' SQL Injection Vulnerability

Source: CCN
Type: XRX14-003
Software Release to Eliminate SQL Injection Vulnerability

Source: MISC
Type: Vendor Advisory
http://www.xerox.com/download/security/security-bulletin/a72cd-4f7a54ce14460/cert_XRX14-003_V1.0.pdf

Source: XF
Type: UNKNOWN
xerox-docushare-sql-injection(92548)

Source: XF
Type: UNKNOWN
xerox-docushare-sql-injection(92548)

Source: CCN
Type: Packet Storm Security [04-15-2014]
Xerox DocuShare SQL Injection

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xerox:docushare:6.5.3:-:*:*:*:*:*:*
  • OR cpe:/a:xerox:docushare:6.5.3:patch6:*:*:*:*:*:*
  • OR cpe:/a:xerox:docushare:6.6.1:-:*:*:*:*:*:*
  • OR cpe:/a:xerox:docushare:6.6.1:update1:*:*:*:*:*:*
  • OR cpe:/a:xerox:docushare:6.6.1:update2:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:xerox:docushare:6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    xerox docushare 6.5.3 -
    xerox docushare 6.5.3 patch6
    xerox docushare 6.6.1 -
    xerox docushare 6.6.1 update1
    xerox docushare 6.6.1 update2
    xerox docushare 6.0