EmcCVEs & Vulnerabilities

414 CVEs affecting Emc products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

networker 370isilon onefs 241documentum content server 106rsa archer egrc 96avamar server 69rsa identity management and governance 68rsa authentication manager 43avamar 41
CVE-2014-2503HIGH

The thumbnail proxy server in EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5, and 6.5 SP6 before P13 allows remote attackers to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on querying objects via a crafted parameter in a query string.

6 Jun 2014
7.5
CVSS
CVE-2014-2502MEDIUM

Cross-site scripting (XSS) vulnerability in rsa_fso.swf in EMC RSA Adaptive Authentication (Hosted) 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4 Jun 2014
4.3
CVSS
CVE-2014-2504CRITICAL

EMC Documentum D2 3.1 before P20, 3.1 SP1 before P02, 4.0 before P10, 4.1 before P13, and 4.2 before P01 allows remote authenticated users to bypass intended access restrictions and execute arbitrary Documentum Query Language (DQL) queries by calling (1) a core method or (2) a D2FS web-service method.

26 May 2014
9.0
CVSS
CVE-2014-0639MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer 5.x before GRC 5.4 SP1 P3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

26 May 2014
4.3
CVSS
CVE-2014-0643HIGH

EMC RSA NetWitness before 9.8.5.19 and RSA Security Analytics before 10.2.4 and 10.3.x before 10.3.2, when Kerberos PAM is enabled, do not require a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid account name.

16 May 2014
7.6
CVSS
CVE-2014-0646MEDIUM

The runtime WS component in the server in EMC RSA Access Manager 6.1.3 before 6.1.3.39, 6.1.4 before 6.1.4.22, 6.2.0 before 6.2.0.11, and 6.2.1 before 6.2.1.03, when INFO logging is enabled, allows local users to discover cleartext passwords by reading log files.

1 May 2014
6.9
CVSS
CVE-2014-0645MEDIUM

EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack.

17 Apr 2014
4.7
CVSS
CVE-2014-0644HIGHpoc

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

17 Apr 2014
7.8
CVSS
CVE-2014-0642MEDIUM

EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors.

16 Apr 2014
5.5
CVSS
CVE-2014-0638MEDIUM

Cross-site scripting (XSS) vulnerability in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote attackers to inject arbitrary web script or HTML via vectors involving FRAME elements, related to a "cross-frame scripting" issue.

4 Apr 2014
4.3
CVSS
CVE-2014-0637MEDIUM

Cross-site scripting (XSS) vulnerability in the back-office case-management application in RSA Adaptive Authentication (On-Premise) 6.x and 7.x before 7.1 SP0 P2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

4 Apr 2014
4.3
CVSS
CVE-2014-0635HIGH

Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.

1 Apr 2014
7.5
CVSS
CVE-2014-0634MEDIUM

EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

1 Apr 2014
6.0
CVSS
CVE-2014-0633HIGH

The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not properly validate session-timeout values, which might make it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.

1 Apr 2014
7.7
CVSS
CVE-2014-0632CRITICAL

Directory traversal vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote authenticated users to execute arbitrary code via unspecified vectors.

1 Apr 2014
9.0
CVSS
CVE-2014-0623MEDIUM

Cross-site scripting (XSS) vulnerability in the Self-Service Console in EMC RSA Authentication Manager 7.1 before SP4 P32 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "cross frame scripting" issue.

27 Mar 2014
4.3
CVSS
CVE-2014-2276MEDIUM

The FileUploadController servlet in EMC Connectrix Manager Converged Network Edition (CMCNE) before 12.1.5 does not properly restrict additions to the Connectrix Manager repository, which allows remote attackers to obtain sensitive information by importing a crafted firmware file.

21 Mar 2014
5.0
CVSS
CVE-2014-0630MEDIUM

EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 allows remote authenticated users to read arbitrary files via a modified imaging-service URL.

6 Mar 2014
4.0
CVSS
CVE-2014-0629HIGH

EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 does not properly handle the interaction between the dm_world group and the dm_superusers_dynamic group, which allows remote authenticated users to obtain sensitive information and gain privileges in opportunistic circumstances by leveraging an incorrect group-addition implementation.

6 Mar 2014
8.5
CVSS
CVE-2014-0624LOW

EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.

6 Mar 2014
2.7
CVSS
CVE-2014-0627MEDIUM

The SSLEngine API implementation in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to trigger the selection of a weak cipher suite by using the wrap method during a certain incomplete-handshake state.

18 Feb 2014
5.0
CVSS
CVE-2014-0626MEDIUM

The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.

18 Feb 2014
5.0
CVSS
CVE-2014-0625MEDIUM

The SSLSocket implementation in the (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to cause a denial of service (memory consumption) by triggering application-data processing during the TLS handshake, a time at which the data is internally buffered.

18 Feb 2014
5.0
CVSS
CVE-2014-0622CRITICAL

The web service in EMC Documentum Foundation Services (DFS) 6.5 through 6.7 before 6.7 SP1 P22, 6.7 SP2 before P08, 7.0 before P12, and 7.1 before P01 does not properly implement content uploading, which allows remote authenticated users to bypass intended content access restrictions via unspecified vectors.

7 Feb 2014
9.0
CVSS
CVE-2013-6182HIGH

Unquoted Windows search path vulnerability in EMC Replication Manager before 5.5 allows local users to gain privileges via a crafted application in a parent directory of an intended directory.

28 Dec 2013
7.2
CVSS
CVE-2013-6181LOW

EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.

28 Dec 2013
2.1
CVSS
CVE-2013-6178MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer GRC 5.x before 5.4 SP1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

20 Dec 2013
4.3
CVSS
CVE-2013-6810CRITICALpoc

The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.

12 Dec 2013
10.0
CVSS
CVE-2013-6180MEDIUM

EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA NetWitness NextGen 9.8, does not ensure that SA Core requests originate from the SA REST UI, which allows remote attackers to bypass intended access restrictions by sending a Core request from a web browser or other unintended user agent.

9 Dec 2013
6.8
CVSS
CVE-2013-3288MEDIUM

Cross-site scripting (XSS) vulnerability on the EMC RSA Data Protection Manager (DPM) appliance 3.2.x before 3.2.4.2 and 3.5.x before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

22 Nov 2013
4.3
CVSS
CVE-2013-6177LOW

Directory traversal vulnerability in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allows remote authenticated users to read arbitrary files by leveraging xDashboard access.

21 Nov 2013
3.5
CVSS
CVE-2013-6176MEDIUM

Multiple SQL injection vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote authenticated users to execute arbitrary SQL commands via unspecified input to a (1) xAdmin or (2) xDashboard form.

21 Nov 2013
6.5
CVSS
CVE-2013-6175MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to inject arbitrary web script or HTML via unspecified input to a (1) xAdmin or (2) xDashboard form.

21 Nov 2013
4.3
CVSS
CVE-2013-6174MEDIUM

Multiple open redirect vulnerabilities in xAdmin in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

21 Nov 2013
5.8
CVSS
CVE-2013-6173MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to hijack the authentication of administrators for requests that perform administrative actions in (1) xAdmin or (2) xDashboard.

21 Nov 2013
6.8
CVSS
CVE-2013-3286MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom before 7.4.4 P11 allow remote attackers to inject arbitrary web script or HTML via a crafted URL.

6 Nov 2013
4.3
CVSS
CVE-2013-3281MEDIUM

Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop before 6.7 SP2 P07, Documentum WDK before 6.7 SP2 P07, Documentum Taskspace before 6.7 SP2 P07, Documentum Records Manager before 6.7 SP2 P07, Documentum Web Publisher before 6.5 SP7, Documentum Digital Asset Manager before 6.5 SP6, Documentum Administrator before 6.7 SP2 P07, and Documentum Capital Projects before 1.8 P01 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter in a URL.

6 Nov 2013
4.3
CVSS
CVE-2013-3285LOW

The NetWorker Management Console (NMC) in EMC NetWorker 8.0.x before 8.0.2.3, when using Active Directory/LDAP for authentication, allows remote authenticated users to discover cleartext administrator passwords via (1) unspecified NMC audit reports or (2) requests to RAP resources.

2 Nov 2013
3.5
CVSS
CVE-2013-3280HIGH

EMC RSA Authentication Agent 7.1.x before 7.1.2 for Web for Internet Information Services has a fail-open design, which allows remote attackers to bypass intended access restrictions via vectors that trigger an agent crash.

25 Oct 2013
7.5
CVSS
CVE-2013-3279MEDIUM

EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account, which allows remote attackers to obtain sensitive administrative information via a database-server connection.

16 Oct 2013
5.0
CVSS
CVE-2013-3278MEDIUM

EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file.

1 Oct 2013
4.9
CVSS
CVE-2013-3277MEDIUM

Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5 Sep 2013
5.8
CVSS
CVE-2013-3276MEDIUM

EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to bypass intended access restrictions and complete a login by leveraging a deactivated account.

5 Sep 2013
6.0
CVSS
CVE-2013-3271MEDIUM

EMC RSA Authentication Agent for PAM 7.0 before 7.0.2.1 enforces the maximum number of login attempts within the PAM-enabled application codebase, instead of within the Agent codebase, which makes it easier for remote attackers to discover correct login credentials via a brute-force attack.

28 Aug 2013
5.0
CVSS
CVE-2013-0943MEDIUM

EMC NetWorker 7.6.x and 8.x before 8.1 allows local users to obtain sensitive configuration information by leveraging operating-system privileges to perform decryption with nsradmin.

31 Jul 2013
4.6
CVSS
CVE-2013-3275MEDIUM

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities."

19 Jul 2013
4.3
CVSS
CVE-2013-3274CRITICAL

EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly determine authorization for calls to Java RMI methods, which allows remote authenticated users to execute arbitrary code via unspecified vectors.

19 Jul 2013
9.0
CVSS
CVE-2013-3273LOW

EMC RSA Authentication Manager 8.0 before P2 and 7.1 before SP4 P26, as used in Appliance 3.0, does not omit the cleartext administrative password from trace logging in custom SDK applications, which allows local users to obtain sensitive information by reading the trace log file.

8 Jul 2013
2.1
CVSS
Emc CVEs & Vulnerabilities — 414 Tracked — Page 6