CVE-2014-2510 : The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39,

The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published 2014-07-08 11:06:01

Updated 2025-04-12 10:46:41

Source Dell

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2014-2510

EMC » Documentum Foundation Services » Version: 6.6
cpe:2.3:a:emc:documentum_foundation_services:6.6:*:*:*:*:*:*:*
Matching versions
EMC » Documentum Foundation Services » Version: 6.7
cpe:2.3:a:emc:documentum_foundation_services:6.7:*:*:*:*:*:*:*
Matching versions
EMC » Documentum Foundation Services » Version: 6.7 Update SP1
cpe:2.3:a:emc:documentum_foundation_services:6.7:sp1:*:*:*:*:*:*
Matching versions
EMC » Documentum Foundation Services » Version: 6.7 Update SP2
cpe:2.3:a:emc:documentum_foundation_services:6.7:sp2:*:*:*:*:*:*
Matching versions
EMC » My Documentum For Desktop » Version: 6.7.2
cpe:2.3:a:emc:my_documentum_for_desktop:6.7.2:*:*:*:*:*:*:*
Matching versions
EMC » My Documentum For Microsoft Outlook » Version: 6.7 Update SP2
cpe:2.3:a:emc:my_documentum_for_microsoft_outlook:6.7:sp2:*:*:*:*:*:*
Matching versions
EMC » My Documentum For Microsoft Outlook » Version: 6.7 Update SP
cpe:2.3:a:emc:my_documentum_for_microsoft_outlook:6.7:sp:*:*:*:*:*:*
Matching versions
EMC » My Documentum For Microsoft Outlook » Version: 6.7.3
cpe:2.3:a:emc:my_documentum_for_microsoft_outlook:6.7.3:*:*:*:*:*:*:*
Matching versions
EMC » My Documentum For Microsoft Outlook » Version: 6.7.1
cpe:2.3:a:emc:my_documentum_for_microsoft_outlook:6.7.1:*:*:*:*:*:*:*
Matching versions
EMC » Centerstage » Version: 1.2 Update SP2
cpe:2.3:a:emc:centerstage:1.2:sp2:*:*:*:*:*:*
Matching versions
EMC » Centerstage » Version: 1.2 Update SP1
cpe:2.3:a:emc:centerstage:1.2:sp1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-2510

EPSS FAQ

0.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 63 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-2510

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:L/Au:S/C:C/I:N/A:N	8.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-2510

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-2510

http://www.securitytracker.com/id/1030528

EMC Documentum Foundation Services Bug Lets Remote Authenticated Users Obtain Files From the Target System - SecurityTracker
http://secunia.com/advisories/59773

Sign in
Permissions Required
http://www.securityfocus.com/bid/68434

EMC Documentum Foundation Services XML External Entity Information Disclosure Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2014-07/0025.html

Broken Link

Jump to

Vulnerability Details : CVE-2014-2510

Products affected by CVE-2014-2510

Exploit prediction scoring system (EPSS) score for CVE-2014-2510

CVSS scores for CVE-2014-2510

CWE ids for CVE-2014-2510

References for CVE-2014-2510