CVE-2017-7221

8.8HIGH

Key Information:

Vendor
Opentext
Status
Documentum Content Server
Vendor
CVE Published:
25 April 2017

Summary

OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.

References

http://seclists.org/fulldisclosure/2017/Apr/97
x_refsource_MISC
https://www.exploit-db.com/exploits/41928/
exploitx_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/98038
vdb-entryx_refsource_BID

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.