-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities EMC Identifier: ESA-2014-180 CVE Identifier: CVE-2014-4635, CVE-2014-4636, CVE-2014-4637, CVE-2014-4638, CVE-2014-4639 Severity Rating: See below for individual scores for each CVE Affected Products: All EMC Documentum Web Development Kit (WDK) based clients bundled with version 6.7 SP2 and earlier: EMC WebTop 6.7 SP2 and earlier EMC Documentum Administrator 7.1 and earlier EMC Records Client 6.7 SP2 and earlier EMC Digital Assets Manager 6.5 SP6 and earlier EMC Web Publishers 6.5 SP7 and earlier EMC Task Space 6.7 SP2 and earlier EMC Engineering Plant Facilities Management Solution for Documentum 1.7 SP1 and earlier EMC Capital Projects 1.9 and earlier Summary: EMC Documentum Web Development Kit (WDK) and WDK-based clients contain multiple vulnerabilities that could potentially be exploited by attackers to target the affected systems. Details: The vulnerabilities addressed in Documentum WDK 6.8 are: 1. Cross-Site Scripting (CVE-2014-4635) EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user. CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 2. Cross-Site Request Forgery (CVE-2014-4636) EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated users of the application to click on specially crafted links that are embedded within an email, web page, or other source and perform Docbase operations with that user's privileges. CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 3. URL Redirection (CVE-2014-4637) EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter. CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 4. Frame Injection (CVE-2014-4638) EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information. CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 5. Parameter Generated with Insufficient Randomness (CVE-2014-4639) EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially exploit this vulnerability by predicting the parameter, helping the attacker to launch phishing attacks. CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Resolution: EMC Documentum Webtop Version 6.8 contains the resolution to these issues: This advisory will be updated as EMC certifies other WDK-based clients which bundle WDK 6.8. Link To Remedies: Registered EMC Online Support customers can download software for their respective products by navigating to the link below: EMC Documentum Webtop Versions 6.8 https://emc.subscribenet.com/control/dctm/product?child_plneID=685111 EMC Product Security Response Center security_alert@emc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlSqxTAACgkQtjd2rKp+ALxcNwCeN5QZ8DzN12zhb23k+CPNhnz8 WsMAniIFTTk1FOd+IdkI9A+pdsn/O8r9 =+D8V -----END PGP SIGNATURE-----