Description
SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information.
Exploits (1)
exploitdb
WORKING POC
by Brandon Perry · textwebappshardware
https://www.exploit-db.com/exploits/32886
References (8)
Core 8
Core References
Vendor Advisory x_refsource_misc
http://www.xerox.com/download/security/security-bulletin/a72cd-4f7a54ce14460/cert_XRX14-003_V1.0.pdf
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/32886
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/105972
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57996
Exploit x_refsource_misc
http://packetstormsecurity.com/files/126171/Xerox-DocuShare-SQL-Injection.html
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/66922
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/92548
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/205
Scores
EPSS
0.0345
EPSS Percentile
87.6%
Details
CWE
CWE-89
Status
published
Products (2)
xerox/docushare
6.5.3 (2 CPE variants)
xerox/docushare
6.6.1 (3 CPE variants)
Published
May 02, 2014
Tracked Since
Feb 18, 2026