CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

EMC : Security Vulnerabilities (Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-5001 200 +Info 2017-07-06 2017-07-17
4.0
None Remote Low Single system Partial None None
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack.
2 CVE-2017-5000 200 +Info 2017-07-06 2017-07-11
4.0
None Remote Low Single system Partial None None
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack.
3 CVE-2017-4999 200 Bypass +Info 2017-07-06 2017-07-11
4.0
None Remote Low Single system Partial None None
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an authorization bypass through user-controlled key vulnerability in Discussion Forum Messages. A remote low privileged attacker may potentially exploit this vulnerability to elevate their privileges and view other users' discussion forum messages.
4 CVE-2017-4986 200 Bypass +Info 2017-06-14 2017-07-07
5.0
None Remote Low Not required Partial None None
EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could potentially be exploited by malicious users to compromise the affected system.
5 CVE-2017-4977 200 +Info 2017-03-29 2017-07-11
1.9
None Local Medium Not required Partial None None
EMC RSA Archer Security Operations Management with RSA Unified Collector Framework versions prior to 1.3.1.52 contain a sensitive information disclosure vulnerability that could potentially be exploited by malicious users to compromise an affected system.
6 CVE-2016-8217 200 +Info 2017-02-03 2017-07-24
5.0
None Remote Low Not required Partial None None
EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one byte at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601.
7 CVE-2016-6650 200 +Info 2017-03-21 2017-07-11
2.6
None Remote High Not required Partial None None
EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an SSL Stripping Vulnerability that may potentially be exploited by malicious users to compromise the affected system.
8 CVE-2016-0918 200 +Info 2016-09-24 2017-07-29
4.0
None Remote Low Single system Partial None None
EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL.
9 CVE-2016-0904 310 +Info 2016-09-20 2017-07-29
5.0
None Remote Low Not required Partial None None
Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use the same encryption key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive client-server traffic information by leveraging knowledge of this key from another installation.
10 CVE-2016-0903 200 +Info 2016-09-20 2017-07-29
6.4
None Remote Low Not required Partial Partial None
Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 rely on client-side authentication, which allows remote attackers to spoof clients and read backup data via a modified client agent.
11 CVE-2016-0899 200 +Info 2016-07-04 2017-08-31
3.5
None Remote Medium Single system Partial None None
EMC RSA Archer GRC 5.5.x before 5.5.3.4 allows remote authenticated users to read the web.config.bak file, and obtain sensitive credential information, by modifying the IIS configuration to set a Content-Type header for .bak files.
12 CVE-2016-0893 200 +Info 2016-05-03 2016-11-30
4.0
None Remote Low Single system Partial None None
EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authenticated users to obtain sensitive information by reading error messages.
13 CVE-2016-0890 200 +Info 2017-02-03 2017-03-02
6.0
None Remote Medium Single system Partial Partial Partial
EMC PowerPath Virtual (Management) Appliance 2.0, EMC PowerPath Virtual (Management) Appliance 2.0 SP1 is affected by a sensitive information disclosure vulnerability that may potentially be exploited by malicious users to compromise the affected system.
14 CVE-2016-0887 200 +Info 2016-04-12 2016-12-02
2.6
None Remote High Not required Partial None None
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 allow remote attackers to discover a private-key prime by conducting a Lenstra side-channel attack that leverages an application's failure to detect an RSA signature failure during a TLS session.
15 CVE-2016-0886 200 +Info 2016-03-09 2017-01-10
4.0
None Remote Low Single system Partial None None
EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows remote authenticated users to obtain sensitive user-account metadata via a members/xcp_member API call.
16 CVE-2016-0881 74 +Info 2016-02-11 2017-01-10
4.0
None Remote Low Single system Partial None None
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request.
17 CVE-2015-6852 200 Dir. Trav. +Info 2015-12-28 2016-12-07
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in the API in EMC Secure Remote Services Virtual Edition 3.x before 3.10 allows remote authenticated users to read log files via a crafted parameter.
18 CVE-2015-6847 200 +Info 2015-11-18 2016-12-07
2.1
None Local Low Not required Partial None None
The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 stores cleartext NAVISPHERE GUI passwords in a log file, which allows local users to obtain sensitive information by reading this file.
19 CVE-2015-6843 200 +Info 2015-10-18 2016-12-08
5.0
None Remote Low Not required Partial None None
Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach.
20 CVE-2015-4547 200 +Info 2015-10-11 2016-12-08
4.0
None Remote Low Single system Partial None None
EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB password in a configuration file, which allows remote authenticated users to obtain sensitive information by reading this file.
21 CVE-2015-4543 200 +Info 2015-09-25 2016-12-08
4.0
None Remote Low Single system Partial None None
EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored passwords in unspecified circumstances, which allows remote authenticated users to obtain sensitive information by reading database fields.
22 CVE-2015-4537 200 +Info 2015-08-22 2016-12-23
3.5
None Remote Medium Single system Partial None None
Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase when a server lacks a D2.Lockbox file, which makes it easier for remote authenticated users to decrypt admin tickets by locating this passphrase in a decompiled D2 JAR archive.
23 CVE-2015-4536 200 +Info 2015-08-20 2017-09-20
3.5
None Remote Medium Single system Partial None None
EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.
24 CVE-2015-4527 200 Dir. Trav. +Info 2015-07-23 2015-08-21
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1.2 and Avamar Virtual Addition (AVE) 7.x before 7.1.2 allows remote attackers to read arbitrary files by using the Avamar Desktop/Laptop client interface to send crafted parameters.
25 CVE-2015-0543 20 +Info 2015-07-05 2016-12-27
5.8
None Remote Medium Not required Partial Partial None
EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
26 CVE-2015-0529 255 +Info 2015-04-04 2016-08-23
5.0
None Remote Low Not required Partial None None
EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session.
27 CVE-2015-0527 200 +Info 2015-03-23 2015-07-28
2.1
None Local Low Not required Partial None None
EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file.
28 CVE-2015-0519 200 +Info 2015-02-14 2017-09-07
2.1
None Local Low Not required Partial None None
The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file.
29 CVE-2015-0517 200 +Info 2015-02-14 2017-09-07
4.0
None Remote Low Single system Partial None None
The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file.
30 CVE-2015-0514 200 +Info 2015-01-21 2017-01-02
5.0
None Remote Low Not required Partial None None
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.
31 CVE-2014-4638 200 +Info 2015-01-06 2016-12-06
5.0
None Remote Low Not required Partial None None
EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors.
32 CVE-2014-4630 310 +Info 2014-12-30 2016-09-06
4.3
None Remote Medium Not required Partial None None
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
33 CVE-2014-4620 200 +Info 2014-10-25 2017-08-28
2.1
None Local Low Not required Partial None None
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.
34 CVE-2014-2521 200 +Info 2014-08-20 2017-08-28
6.3
None Remote Medium Single system Complete None None
EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to read sensitive object metadata via an RPC command.
35 CVE-2014-2519 200 DoS +Info 2014-07-19 2017-01-06
5.8
None Remote Medium Not required Partial None Partial
The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 before 4.1.0.1 does not enable a firewall, which allows remote attackers to obtain potentially sensitive information about open ports, or cause a denial of service, by sending packets to many ports.
36 CVE-2014-2510 200 +Info 2014-07-08 2017-01-06
6.8
None Remote Low Single system Complete None None
The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
37 CVE-2014-2276 264 +Info 2014-03-21 2017-08-28
5.0
None Remote Low Not required Partial None None
The FileUploadController servlet in EMC Connectrix Manager Converged Network Edition (CMCNE) before 12.1.5 does not properly restrict additions to the Connectrix Manager repository, which allows remote attackers to obtain sensitive information by importing a crafted firmware file.
38 CVE-2014-0645 255 +Info 2014-04-16 2014-04-17
4.7
None Local Medium Not required Complete None None
EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack.
39 CVE-2014-0644 200 +Info 2014-04-16 2014-04-17
7.8
None Remote Low Not required Complete None None
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.
40 CVE-2014-0634 20 +Info 2014-04-01 2014-04-01
6.0
None Remote Medium Single system Partial Partial Partial
EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
41 CVE-2014-0629 264 +Priv +Info 2014-03-06 2014-03-07
8.5
None Remote Medium Single system Complete Complete Complete
EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 does not properly handle the interaction between the dm_world group and the dm_superusers_dynamic group, which allows remote authenticated users to obtain sensitive information and gain privileges in opportunistic circumstances by leveraging an incorrect group-addition implementation.
42 CVE-2013-6181 310 +Info 2013-12-27 2014-01-07
2.1
None Local Low Not required Partial None None
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.
43 CVE-2013-3279 255 +Info 2013-10-16 2013-10-17
5.0
None Remote Low Not required Partial None None
EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account, which allows remote attackers to obtain sensitive administrative information via a database-server connection.
44 CVE-2013-3278 255 +Info 2013-09-30 2013-10-02
4.9
None Local Low Not required Complete None None
EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file.
45 CVE-2013-3275 20 XSS +Info 2013-07-19 2013-07-29
4.3
None Remote Medium Not required None Partial None
EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities."
46 CVE-2013-3272 255 +Info 2013-07-08 2013-10-11
2.1
None Local Low Not required Partial None None
EMC Replication Manager (RM) before 5.4.4 places encoded passwords in application log files, which makes it easier for local users to obtain sensitive information by reading a file and conducting an unspecified decoding attack.
47 CVE-2013-0944 200 +Info 2013-05-03 2013-05-03
3.5
None Remote Medium Single system Partial None None
The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL.
48 CVE-2013-0943 200 +Info 2013-07-31 2013-07-31
4.6
None Local Low Single system Complete None None
EMC NetWorker 7.6.x and 8.x before 8.1 allows local users to obtain sensitive configuration information by leveraging operating-system privileges to perform decryption with nsradmin.
49 CVE-2013-0939 20 +Info 2013-05-10 2013-05-10
5.8
None Remote Medium Not required Partial Partial None
EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue.
50 CVE-2012-4615 310 1 +Info 2012-11-27 2013-08-17
2.1
None Local Low Not required Partial None None
EMC Smarts Network Configuration Manager (NCM) before 9.1 uses a hardcoded encryption key for the storage of credentials, which allows local users to obtain sensitive information via unspecified vectors.
Total number of vulnerabilities : 61   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.