CVE Vulnerabilities

CVE-2016-0881

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Feb 12, 2016 | Modified: Jan 11, 2017
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Documentum_xcp Emc 2.1 (including) 2.1 (including)
Documentum_xcp Emc 2.2 (including) 2.2 (including)

Potential Mitigations

References