DQL Injection Vulnerability in OpenText Documentum Content Server Products
CVE-2017-5585

8.8HIGH

Key Information:

Vendor
Opentext
Vendor
CVE Published:
22 February 2017

Summary

OpenText Documentum Content Server version 7.3, when integrated with PostgreSQL Database, is susceptible to DQL injection due to improper handling of query hints. When the return_top_results_row_based configuration is set to false, remote authenticated users can exploit this vulnerability to inject crafted DQL commands. This exploits an incomplete fix for a prior vulnerability, allowing unauthorized manipulation of database commands, thereby posing a significant security risk.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.