Test ID:	1.3.6.1.4.1.25623.1.0.804556
Category:	Web application abuses
Title:	Xerox DocuShare SQLi Vulnerability (Apr 2014)
Summary:	Xerox DocuShare is prone to an SQL injection (SQLi); vulnerability.
Description:	Summary: Xerox DocuShare is prone to an SQL injection (SQLi) vulnerability. Vulnerability Insight: Input appended to the URL after: /dsweb/ResultBackgroundJobMultiple/1 is not properly sanitised before being used in SQL queries. Vulnerability Impact: Successful exploitation will allow attacker to execute arbitrary HTML or script code and manipulate SQL queries in the backend database allowing for the manipulation or disclosure of arbitrary data. Affected Software/OS: Xerox DocuShare versions 6.5.3 Patch 6, 6.6.1 Update 1, 6.6.1 Update 2. Prior versions may also be affected. Solution: Update to 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 Hotfix 24, 6.6.1 Update 2 Hotfix 3 or later. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3138 BugTraq ID: 66922 http://www.securityfocus.com/bid/66922 http://www.exploit-db.com/exploits/32886 http://seclists.org/fulldisclosure/2014/Apr/205 http://packetstormsecurity.com/files/126171/Xerox-DocuShare-SQL-Injection.html http://www.xerox.com/download/security/security-bulletin/a72cd-4f7a54ce14460/cert_XRX14-003_V1.0.pdf http://www.osvdb.org/105972 http://secunia.com/advisories/57996 XForce ISS Database: xerox-docushare-sql-injection(92548) https://exchange.xforce.ibmcloud.com/vulnerabilities/92548
Copyright	Copyright (C) 2014 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.