ESA-2014-024: EMC Documentum Digital Asset Manager DQL Injection Vulnerability

Today EMC announced a security fix to address Blind Documentum Query Language (DQL) Injection vulnerability on Documentum Digital Asset Manager (DAM).

The affected versions are:

  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP3
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP4
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP5
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP6

logo dam yuri simione documentum emc consultancy

The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker may potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.

EMC released a hotfix for DAM 6.5 SP3, 6.5 SP4, and 6.5 SP5. For 6.5 SP6, patch P13 and later contains resolution for this issue.

EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity.

You can subscribe the RSS feeds related to the security alerts published on my blog.

This entry was posted in ECM, EMC, Frontpage, Security alert and tagged , , . Bookmark the permalink.

Leave a Reply