| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-5001 |
200 |
|
+Info |
2017-07-06 |
2017-07-17 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack. |
|
2 |
CVE-2017-5000 |
200 |
|
+Info |
2017-07-06 |
2017-07-11 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an information exposure through an error message vulnerability. A remote low privileged attacker may potentially exploit this vulnerability to use information disclosed in an error message to launch another more focused attack. |
|
3 |
CVE-2017-4999 |
200 |
|
Bypass +Info |
2017-07-06 |
2017-07-11 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an authorization bypass through user-controlled key vulnerability in Discussion Forum Messages. A remote low privileged attacker may potentially exploit this vulnerability to elevate their privileges and view other users' discussion forum messages. |
|
4 |
CVE-2017-4986 |
200 |
|
Bypass +Info |
2017-06-14 |
2017-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could potentially be exploited by malicious users to compromise the affected system. |
|
5 |
CVE-2017-4977 |
200 |
|
+Info |
2017-03-29 |
2017-07-11 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
EMC RSA Archer Security Operations Management with RSA Unified Collector Framework versions prior to 1.3.1.52 contain a sensitive information disclosure vulnerability that could potentially be exploited by malicious users to compromise an affected system. |
|
6 |
CVE-2016-8217 |
200 |
|
+Info |
2017-02-03 |
2017-07-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one byte at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601. |
|
7 |
CVE-2016-6650 |
200 |
|
+Info |
2017-03-21 |
2017-07-11 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an SSL Stripping Vulnerability that may potentially be exploited by malicious users to compromise the affected system. |
|
8 |
CVE-2016-0918 |
200 |
|
+Info |
2016-09-24 |
2017-07-29 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL. |
|
9 |
CVE-2016-0904 |
310 |
|
+Info |
2016-09-20 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use the same encryption key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive client-server traffic information by leveraging knowledge of this key from another installation. |
|
10 |
CVE-2016-0903 |
200 |
|
+Info |
2016-09-20 |
2017-07-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 rely on client-side authentication, which allows remote attackers to spoof clients and read backup data via a modified client agent. |
|
11 |
CVE-2016-0899 |
200 |
|
+Info |
2016-07-04 |
2017-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
EMC RSA Archer GRC 5.5.x before 5.5.3.4 allows remote authenticated users to read the web.config.bak file, and obtain sensitive credential information, by modifying the IIS configuration to set a Content-Type header for .bak files. |
|
12 |
CVE-2016-0893 |
200 |
|
+Info |
2016-05-03 |
2016-11-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authenticated users to obtain sensitive information by reading error messages. |
|
13 |
CVE-2016-0890 |
200 |
|
+Info |
2017-02-03 |
2017-03-02 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
EMC PowerPath Virtual (Management) Appliance 2.0, EMC PowerPath Virtual (Management) Appliance 2.0 SP1 is affected by a sensitive information disclosure vulnerability that may potentially be exploited by malicious users to compromise the affected system. |
|
14 |
CVE-2016-0887 |
200 |
|
+Info |
2016-04-12 |
2016-12-02 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 allow remote attackers to discover a private-key prime by conducting a Lenstra side-channel attack that leverages an application's failure to detect an RSA signature failure during a TLS session. |
|
15 |
CVE-2016-0886 |
200 |
|
+Info |
2016-03-09 |
2017-01-10 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows remote authenticated users to obtain sensitive user-account metadata via a members/xcp_member API call. |
|
16 |
CVE-2016-0881 |
74 |
|
+Info |
2016-02-11 |
2017-01-10 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request. |
|
17 |
CVE-2015-6852 |
200 |
|
Dir. Trav. +Info |
2015-12-28 |
2016-12-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in the API in EMC Secure Remote Services Virtual Edition 3.x before 3.10 allows remote authenticated users to read log files via a crafted parameter. |
|
18 |
CVE-2015-6847 |
200 |
|
+Info |
2015-11-18 |
2016-12-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 stores cleartext NAVISPHERE GUI passwords in a log file, which allows local users to obtain sensitive information by reading this file. |
|
19 |
CVE-2015-6843 |
200 |
|
+Info |
2015-10-18 |
2016-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach. |
|
20 |
CVE-2015-4547 |
200 |
|
+Info |
2015-10-11 |
2016-12-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB password in a configuration file, which allows remote authenticated users to obtain sensitive information by reading this file. |
|
21 |
CVE-2015-4543 |
200 |
|
+Info |
2015-09-25 |
2016-12-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored passwords in unspecified circumstances, which allows remote authenticated users to obtain sensitive information by reading database fields. |
|
22 |
CVE-2015-4537 |
200 |
|
+Info |
2015-08-22 |
2016-12-23 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase when a server lacks a D2.Lockbox file, which makes it easier for remote authenticated users to decrypt admin tickets by locating this passphrase in a decompiled D2 JAR archive. |
|
23 |
CVE-2015-4536 |
200 |
|
+Info |
2015-08-20 |
2017-09-20 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file. |
|
24 |
CVE-2015-4527 |
200 |
|
Dir. Trav. +Info |
2015-07-23 |
2015-08-21 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1.2 and Avamar Virtual Addition (AVE) 7.x before 7.1.2 allows remote attackers to read arbitrary files by using the Avamar Desktop/Laptop client interface to send crafted parameters. |
|
25 |
CVE-2015-0543 |
20 |
|
+Info |
2015-07-05 |
2016-12-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
26 |
CVE-2015-0529 |
255 |
|
+Info |
2015-04-04 |
2016-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session. |
|
27 |
CVE-2015-0527 |
200 |
|
+Info |
2015-03-23 |
2015-07-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file. |
|
28 |
CVE-2015-0519 |
200 |
|
+Info |
2015-02-14 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file. |
|
29 |
CVE-2015-0517 |
200 |
|
+Info |
2015-02-14 |
2017-09-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file. |
|
30 |
CVE-2015-0514 |
200 |
|
+Info |
2015-01-21 |
2017-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. |
|
31 |
CVE-2014-4638 |
200 |
|
+Info |
2015-01-06 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors. |
|
32 |
CVE-2014-4630 |
310 |
|
+Info |
2014-12-30 |
2016-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack." |
|
33 |
CVE-2014-4620 |
200 |
|
+Info |
2014-10-25 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files. |
|
34 |
CVE-2014-2521 |
200 |
|
+Info |
2014-08-20 |
2017-08-28 |
6.3 |
None |
Remote |
Medium |
Single system |
Complete |
None |
None |
|
EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to read sensitive object metadata via an RPC command. |
|
35 |
CVE-2014-2519 |
200 |
|
DoS +Info |
2014-07-19 |
2017-01-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 before 4.1.0.1 does not enable a firewall, which allows remote attackers to obtain potentially sensitive information about open ports, or cause a denial of service, by sending packets to many ports. |
|
36 |
CVE-2014-2510 |
200 |
|
+Info |
2014-07-08 |
2017-01-06 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
37 |
CVE-2014-2276 |
264 |
|
+Info |
2014-03-21 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The FileUploadController servlet in EMC Connectrix Manager Converged Network Edition (CMCNE) before 12.1.5 does not properly restrict additions to the Connectrix Manager repository, which allows remote attackers to obtain sensitive information by importing a crafted firmware file. |
|
38 |
CVE-2014-0645 |
255 |
|
+Info |
2014-04-16 |
2014-04-17 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Management Appliance (FMA) 7.x store DES password hashes for the root, super, and admin accounts, which makes it easier for context-dependent attackers to obtain sensitive information via a brute-force attack. |
|
39 |
CVE-2014-0644 |
200 |
|
+Info |
2014-04-16 |
2014-04-17 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file. |
|
40 |
CVE-2014-0634 |
20 |
|
+Info |
2014-04-01 |
2014-04-01 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
41 |
CVE-2014-0629 |
264 |
|
+Priv +Info |
2014-03-06 |
2014-03-07 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 does not properly handle the interaction between the dm_world group and the dm_superusers_dynamic group, which allows remote authenticated users to obtain sensitive information and gain privileges in opportunistic circumstances by leveraging an incorrect group-addition implementation. |
|
42 |
CVE-2013-6181 |
310 |
|
+Info |
2013-12-27 |
2014-01-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges. |
|
43 |
CVE-2013-3279 |
255 |
|
+Info |
2013-10-16 |
2013-10-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account, which allows remote attackers to obtain sensitive administrative information via a database-server connection. |
|
44 |
CVE-2013-3278 |
255 |
|
+Info |
2013-09-30 |
2013-10-02 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage of the LDAP/AD bind password, which allows local users to obtain sensitive information by reading the management-server configuration file. |
|
45 |
CVE-2013-3275 |
20 |
|
XSS +Info |
2013-07-19 |
2013-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities." |
|
46 |
CVE-2013-3272 |
255 |
|
+Info |
2013-07-08 |
2013-10-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
EMC Replication Manager (RM) before 5.4.4 places encoded passwords in application log files, which makes it easier for local users to obtain sensitive information by reading a file and conducting an unspecified decoding attack. |
|
47 |
CVE-2013-0944 |
200 |
|
+Info |
2013-05-03 |
2013-05-03 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The web-based file-restore interface in EMC Avamar Server before 6.1.0 allows remote authenticated users to read arbitrary files via a crafted URL. |
|
48 |
CVE-2013-0943 |
200 |
|
+Info |
2013-07-31 |
2013-07-31 |
4.6 |
None |
Local |
Low |
Single system |
Complete |
None |
None |
|
EMC NetWorker 7.6.x and 8.x before 8.1 allows local users to obtain sensitive configuration information by leveraging operating-system privileges to perform decryption with nsradmin. |
|
49 |
CVE-2013-0939 |
20 |
|
+Info |
2013-05-10 |
2013-05-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue. |
|
50 |
CVE-2012-4615 |
310 |
1
|
+Info |
2012-11-27 |
2013-08-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
EMC Smarts Network Configuration Manager (NCM) before 9.1 uses a hardcoded encryption key for the storage of credentials, which allows local users to obtain sensitive information via unspecified vectors. |
