CVE-2007-3254 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xythos	Enterprise Document Manager

Configuration 1 [-]

OR	cpe:2.3:a:xythos:enterprise_document_manager:5.0:::::::*
	cpe:2.3:a:xythos:enterprise_document_manager:6.0:::::::*

No data.

References

Link	Providers
http://osvdb.org/37621
http://osvdb.org/37622
http://osvdb.org/37623
http://osvdb.org/37624
http://secunia.com/advisories/25783
http://securityreason.com/securityalert/2845
http://securitytracker.com/id?1018291
http://securitytracker.com/id?1018292
http://www.securityfocus.com/archive/1/472275/100/0/threaded
http://www.securityfocus.com/bid/24521
http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/35083

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-06-27T18:00:00

Updated: 2024-08-07T14:14:12.406Z

Reserved: 2007-06-19T00:00:00

Link: CVE-2007-3254

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-06-27T18:30:00.000

Modified: 2018-10-16T16:48:01.217

Link: CVE-2007-3254

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-22T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "37624", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37624"}, {"name": "24521", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37623", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37623"}, {"name": "25783", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25783"}, {"name": "37622", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37622"}, {"name": "37621", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37621"}, {"name": "1018292", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018292"}, {"tags": ["x_refsource_MISC"], "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2845"}, {"name": "xedm-multiple-xss(35083)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35083"}, {"name": "1018291", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018291"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3254", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "37624", "refsource": "OSVDB", "url": "http://osvdb.org/37624"}, {"name": "24521", "refsource": "BID", "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37623", "refsource": "OSVDB", "url": "http://osvdb.org/37623"}, {"name": "25783", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25783"}, {"name": "37622", "refsource": "OSVDB", "url": "http://osvdb.org/37622"}, {"name": "37621", "refsource": "OSVDB", "url": "http://osvdb.org/37621"}, {"name": "1018292", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018292"}, {"name": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt", "refsource": "MISC", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2845"}, {"name": "xedm-multiple-xss(35083)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35083"}, {"name": "1018291", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018291"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:14:12.406Z"}, "title": "CVE Program Container", "references": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "37624", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37624"}, {"name": "24521", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37623", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37623"}, {"name": "25783", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25783"}, {"name": "37622", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37622"}, {"name": "37621", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37621"}, {"name": "1018292", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1018292"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2845"}, {"name": "xedm-multiple-xss(35083)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35083"}, {"name": "1018291", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1018291"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3254", "datePublished": "2007-06-27T18:00:00", "dateReserved": "2007-06-19T00:00:00", "dateUpdated": "2024-08-07T14:14:12.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "A884B8B1-D617-44E8-B707-D5FEB3DC6E47", "vulnerable": true}, {"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E370848C-21C2-437B-9138-C5CFE9669732", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Xythos Enterprise Document Manager (XEDM) anterior a 5.0.25.8, y 6.x anterior a 6.0.46.1,permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante (1) un nombre de Workflow guardado; (2) un nombre de Workflow, relacionado con el borrado de una plantilla de Workflow; (3) la cabecera HTTP Content-Type; o (4) el nombre de un fichero subido. NOTA: los puntos 3 y 4 tambi\u00e9n afectan a los mismos n\u00fameros de versi\u00f3n de Xythos Digital Locker (XDL). Algunos o todos los vectores tambi\u00e9n afectan a Xythos WebFile Server."}], "id": "CVE-2007-3254", "lastModified": "2018-10-16T16:48:01.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-06-27T18:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/37621"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37622"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37623"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37624"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25783"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2845"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://securitytracker.com/id?1018291"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://securitytracker.com/id?1018292"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/24521"}, {"source": "cve@mitre.org", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35083"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}