製品・ソフトウェアに関する情報

JVN脆弱性詳細

XEDM におけるクロスサイトリクエストフォージェリの脆弱性

Title	XEDM におけるクロスサイトリクエストフォージェリの脆弱性
Summary	Xythos Enterprise Document Manager (XEDM) には、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、(1) 保存済み Workflow 名、または (2) Content-Type HTTP ヘッダを介して、任意のユーザとしてコマンドを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	June 27, 2007, midnight
Registration Date	Dec. 20, 2012, 6:19 p.m.
Last Update	Dec. 20, 2012, 6:19 p.m.

Affected System

xythos

enterprise document manager 5.0.25.8 未満、6.0.46.1 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-3255	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3255
National Vulnerability Database (NVD)
2	CVE-2007-3255	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3255

ベンダー情報

No	Name	URL
xythos
1	Enterprise Document Manager	http://www.blackboard.com/Platforms/Learn/Products/Blackboard-Learn/Blackboard-Xythos.aspx

Change Log

No	Changed Details	Date of change
0	[2012年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2007-3255

Summary	Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server.
Summary	Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Xythos Enterprise Document Manager (XEDM) anterior a 5.0.25.8, y 6.x anterior a 6.0.46.1, permite a usuarios remotos autenticados ejecutar comandos como usuarios de su elección mediante (1) un nombre de Workflow guardado o (2) la cabecera HTTP Content-Type. NOTA: el punto 2 también afecta a los mismos números de versión de Xythos Digital Locker (XDL). Uno o más vectores podrían también afectar a Xythos WebFile Server.
Publication Date	June 28, 2007, 3:30 a.m.
Registration Date	Jan. 29, 2021, 2:14 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:xythos:enterprise_document_manager::::::::		5.0.25.7
cpe:2.3:a:xythos:enterprise_document_manager::::::::		6.0.46.0

Related information, measures and tools

No	URL	refsource
1	http://osvdb.org/37615	cve@mitre.org
2	http://osvdb.org/37616	cve@mitre.org
3	http://secunia.com/advisories/25783	cve@mitre.org
4	http://securityreason.com/securityalert/2845	cve@mitre.org
5	http://securitytracker.com/id?1018291	cve@mitre.org
6	http://securitytracker.com/id?1018292	cve@mitre.org
7	http://www.securityfocus.com/archive/1/472275/100/0/threaded	cve@mitre.org
8	http://www.securityfocus.com/bid/24521	cve@mitre.org
9	http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt	cve@mitre.org
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/35084	cve@mitre.org
11	http://osvdb.org/37615	af854a3a-2127-422b-91ae-364da2661108
12	http://osvdb.org/37616	af854a3a-2127-422b-91ae-364da2661108
13	http://secunia.com/advisories/25783	af854a3a-2127-422b-91ae-364da2661108
14	http://securityreason.com/securityalert/2845	af854a3a-2127-422b-91ae-364da2661108
15	http://securitytracker.com/id?1018291	af854a3a-2127-422b-91ae-364da2661108
16	http://securitytracker.com/id?1018292	af854a3a-2127-422b-91ae-364da2661108
17	http://www.securityfocus.com/archive/1/472275/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
18	http://www.securityfocus.com/bid/24521	af854a3a-2127-422b-91ae-364da2661108
19	http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-004.txt	af854a3a-2127-422b-91ae-364da2661108
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/35084	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List