Vulnerability Details : CVE-2014-3138
SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2014-3138
Probability of exploitation activity in the next 30 days: 0.18%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-3138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2014-3138
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3138
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/92548
Xerox DocuShare SQL injection CVE-2014-3138 Vulnerability Report
-
http://seclists.org/fulldisclosure/2014/Apr/205
Full Disclosure: Xerox DocuShare authenticated SQL injection
-
http://www.securityfocus.com/bid/66922
Xerox DocuShare '/docushare/dsweb/ResultBackgroundJobMultiple/1' SQL Injection VulnerabilityExploit
-
http://www.xerox.com/download/security/security-bulletin/a72cd-4f7a54ce14460/cert_XRX14-003_V1.0.pdf
Vendor Advisory
-
http://packetstormsecurity.com/files/126171/Xerox-DocuShare-SQL-Injection.html
Xerox DocuShare SQL Injection ≈ Packet StormExploit
-
http://www.exploit-db.com/exploits/32886
Xerox DocuShare - SQL Injection - Hardware webapps ExploitExploit
Products affected by CVE-2014-3138
- cpe:2.3:a:xerox:docushare:6.5.3:patch6:*:*:*:*:*:*
- cpe:2.3:a:xerox:docushare:6.6.1:update1:*:*:*:*:*:*
- cpe:2.3:a:xerox:docushare:6.6.1:update2:*:*:*:*:*:*
- cpe:2.3:a:xerox:docushare:6.5.3:-:*:*:*:*:*:*
- cpe:2.3:a:xerox:docushare:6.6.1:-:*:*:*:*:*:*