7 matches found
CVE-2017-14757
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 is vulnerable to SQL Injection in /xDashboard/html/jobhistory/downloadSupportFile.action via jobRunId. An attacker must authenticate to exploit. Older versions might be affected. Attack could retrieve...
CVE-2017-14960
CVE-2017-14960 affects EMC OpenText/Document Sciences xPression xDashboard. The vulnerability is a SQL Injection in xDashboard (v4.5SP1 Patch 13) via the parameter model.jobHistoryId used in jobDocHistoryList.action, enabling an attacker to retrieve data from the underlying database. The issue is...
CVE-2017-14758
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 is vulnerable to SQL Injection via /xAdmin/html/cm_doclist_view_uc.jsp with the documentId parameter. The vulnerability requires authentication to the application. Root cause: lack of prepared stateme...
CVE-2017-14754
Affected product: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression), v4.5SP1 Patch 13 (and possibly older versions). Vulnerability type & cause: Arbitrary File Read due to a directory traversal flaw in the xsd_datasource_schema_file parameter used by /xAdmin/html/cm_...
CVE-2017-14759
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 is affected by an XML External Entity (XXE) vulnerability in the QuickDocHttpSoap11Endpoint SOAP service. An unauthenticated attacker can read directory listings or system files, or cause SSRF/Denial ...
CVE-2017-14755
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 is vulnerable to Cross-Site Scripting via /xAdmin/html/XPressoDoc with the categoryId parameter. The CNVD entry confirms a remote attacker can inject arbitrary JavaScript to be reflected to users, ena...
CVE-2017-14756
OpenText Document Sciences xPression, v4.5SP1 Patch 13 (and older) is affected by CVE-2017-14756: a Cross-Site Scripting vulnerability in /xAdmin/html/Deployment (cat_id) that can inject JavaScript reflected to users. Exploitation requires user interaction and can be triggered remotely via crafte...