Andrey B. Panfilov

6 exploits Active since Feb 2017
CVE-2017-15013 EXPLOITDB HIGH python WORKING POC
OpenText Documentum Content Server < 7.3 - Authenticated Privilege Escalation via dmr_content Object Manipulation
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server stores information about uploaded files in dmr_content objects, which are queryable and "editable" (before release 7.2P02, any authenticated user was able to edit dmr_content objects; now any authenticated user may delete a dmr_content object and then create a new one with the old identifier) by authenticated users; this allows any authenticated user to replace the content of security-sensitive dmr_content objects (for example, dmr_content related to dm_method objects) and gain superuser privileges.
CVSS 8.8
CVE-2017-15014 EXPLOITDB MEDIUM python WORKING POC
OpenText Documentum Content Server < 7.3 - Authenticated Arbitrary File Download via DATA_TICKET Manipulation
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When an authenticated user uploads content to the repository, he performs the following steps: (1) calls the START_PUSH RPC-command; (2) uploads the file to the content server; (3) calls the END_PUSH_V2 RPC-command (here, Content Server returns a DATA_TICKET integer, intended to identify the location of the uploaded file on the Content Server filesystem); (4) creates a dmr_content object in the repository, which has a value of data_ticket equal to the value of DATA_TICKET returned at the end of END_PUSH_V2 call. As the result of this design, any authenticated user may create his own dmr_content object, pointing to already existing content in the Content Server filesystem.
CVSS 4.3
CVE-2017-15012 EXPLOITDB HIGH python WORKING POC
OpenText Documentum Content Server < 7.3 - Authenticated Arbitrary File Read via PUT_FILE RPC Command
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 does not properly validate the input of the PUT_FILE RPC-command, which allows any authenticated user to hijack an arbitrary file from the Content Server filesystem; because some files on the Content Server filesystem are security-sensitive, this leads to privilege escalation.
CVSS 8.8
CVE-2017-7221 EXPLOITDB HIGH python WORKING POC
OpenText Documentum Content Server - SQL Injection
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.
CVSS 8.8
CVE-2017-15276 EXPLOITDB HIGH python WORKING POC
OpenText Documentum Content Server < 7.3 - Authenticated Path Traversal via TAR Archive Symlinks
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server allows uploading content using batches (TAR archives). When unpacking TAR archives, Content Server fails to verify the contents of an archive, which causes a path traversal vulnerability via symlinks. Because some files on the Content Server filesystem are security-sensitive, this leads to privilege escalation.
CVSS 8.8
CVE-2017-5586 EXPLOITDB CRITICAL java WORKING POC
OpenText Documentum D2 4.x - Remote Code Execution via Deserialization
OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries.
CVSS 9.8