CVE-2007-3255 - Vulnerability Details - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01192.

Key SSVC decision points have not yet been added.

Vendors	Products
Xythos	Enterprise Document Manager

Configuration 1 [-]

OR	cpe:2.3:a:xythos:enterprise_document_manager::::::::
	cpe:2.3:a:xythos:enterprise_document_manager::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://osvdb.org/37615
http://osvdb.org/37616
http://secunia.com/advisories/25783
http://securityreason.com/securityalert/2845
http://securitytracker.com/id?1018291
http://securitytracker.com/id?1018292
http://www.securityfocus.com/archive/1/472275/100/0/threaded
http://www.securityfocus.com/bid/24521
http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/35084

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-06-27T18:00:00

Updated: 2024-08-07T14:14:11.482Z

Reserved: 2007-06-19T00:00:00

Link: CVE-2007-3255

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-06-27T18:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3255

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-22T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "24521", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37616", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37616"}, {"name": "25783", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25783"}, {"name": "1018292", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018292"}, {"name": "xedm-multiple-csrf(35084)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"tags": ["x_refsource_MISC"], "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2845"}, {"name": "1018291", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1018291"}, {"name": "37615", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37615"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "24521", "refsource": "BID", "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37616", "refsource": "OSVDB", "url": "http://osvdb.org/37616"}, {"name": "25783", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25783"}, {"name": "1018292", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018292"}, {"name": "xedm-multiple-csrf(35084)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"name": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt", "refsource": "MISC", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2845"}, {"name": "1018291", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1018291"}, {"name": "37615", "refsource": "OSVDB", "url": "http://osvdb.org/37615"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:14:11.482Z"}, "title": "CVE Program Container", "references": [{"name": "20070622 SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"name": "24521", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/24521"}, {"name": "37616", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37616"}, {"name": "25783", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25783"}, {"name": "1018292", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1018292"}, {"name": "xedm-multiple-csrf(35084)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"name": "2845", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2845"}, {"name": "1018291", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1018291"}, {"name": "37615", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/37615"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3255", "datePublished": "2007-06-27T18:00:00", "dateReserved": "2007-06-19T00:00:00", "dateUpdated": "2024-08-07T14:14:11.482Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "87D3A63D-4031-45AF-971E-781949721BF7", "versionEndIncluding": "5.0.25.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:xythos:enterprise_document_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4FB9E86-37C0-4FB7-85E9-EF34DB918C26", "versionEndIncluding": "6.0.46.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Xythos Enterprise Document Manager (XEDM) anterior a 5.0.25.8, y 6.x anterior a 6.0.46.1, permite a usuarios remotos autenticados ejecutar comandos como usuarios de su elecci\u00f3n mediante (1) un nombre de Workflow guardado o (2) la cabecera HTTP Content-Type. NOTA: el punto 2 tambi\u00e9n afecta a los mismos n\u00fameros de versi\u00f3n de Xythos Digital Locker (XDL). Uno o m\u00e1s vectores podr\u00edan tambi\u00e9n afectar a Xythos WebFile Server."}], "id": "CVE-2007-3255", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-06-27T18:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/37615"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/37616"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25783"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2845"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1018291"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1018292"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/24521"}, {"source": "cve@mitre.org", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/37615"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/37616"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/25783"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/2845"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1018291"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1018292"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/472275/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/24521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35084"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}