CVE-2007-3255 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Xythos	Enterprise Document Manager

Configuration 1 [-]

OR	cpe:2.3:a:xythos:enterprise_document_manager::::::::
	cpe:2.3:a:xythos:enterprise_document_manager::::::::

References

Link	Resource
http://osvdb.org/37615
http://osvdb.org/37616
http://secunia.com/advisories/25783
http://securityreason.com/securityalert/2845
http://securitytracker.com/id?1018291
http://securitytracker.com/id?1018292
http://www.securityfocus.com/archive/1/472275/100/0/threaded
http://www.securityfocus.com/bid/24521	Patch
http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/35084

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-06-27T18:00:00

Updated: 2018-10-16T14:57:01

Reserved: 2007-06-19T00:00:00

Link: CVE-2007-3255

JSON object: View

NVD Information

Status : Modified

Published: 2007-06-27T18:30:00.000

Modified: 2018-10-16T16:48:02.060

Link: CVE-2007-3255

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-22T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "24521", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37616", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37616"}, {"name": "25783", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25783"}, {"name": "1018292", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018292"}, {"name": "xedm-multiple-csrf(35084)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"tags": ["x_refsource_MISC"], "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2845"}, {"name": "1018291", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018291"}, {"name": "37615", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37615"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "24521", "refsource": "BID", "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37616", "refsource": "OSVDB", "url": "http://osvdb.org/37616"}, {"name": "25783", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25783"}, {"name": "1018292", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018292"}, {"name": "xedm-multiple-csrf(35084)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"name": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt", "refsource": "MISC", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2845"}, {"name": "1018291", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018291"}, {"name": "37615", "refsource": "OSVDB", "url": "http://osvdb.org/37615"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3255", "datePublished": "2007-06-27T18:00:00", "dateReserved": "2007-06-19T00:00:00", "dateUpdated": "2018-10-16T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "87D3A63D-4031-45AF-971E-781949721BF7", "versionEndIncluding": "5.0.25.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4FB9E86-37C0-4FB7-85E9-EF34DB918C26", "versionEndIncluding": "6.0.46.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Xythos Enterprise Document Manager (XEDM) anterior a 5.0.25.8, y 6.x anterior a 6.0.46.1, permite a usuarios remotos autenticados ejecutar comandos como usuarios de su elecci\u00f3n mediante (1) un nombre de Workflow guardado o (2) la cabecera HTTP Content-Type. NOTA: el punto 2 tambi\u00e9n afecta a los mismos n\u00fameros de versi\u00f3n de Xythos Digital Locker (XDL). Uno o m\u00e1s vectores podr\u00edan tambi\u00e9n afectar a Xythos WebFile Server."}], "id": "CVE-2007-3255", "lastModified": "2018-10-16T16:48:02.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-06-27T18:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/37615"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37616"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25783"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2845"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1018291"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1018292"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/24521"}, {"source": "cve@mitre.org", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}