Multiple reflected cross-site scripting vulnerabilities in EMC Documentum eRoom

SEC Consult Vulnerability Lab Security Advisory < 20131107-0 >


title: Multiple reflected cross-site scripting vulnerabilities

product: EMC Documentum eRoom

vulnerable version: 7.44

fixed version: 7.4.4 P11

CVE: CVE-2013-3286

impact: medium


found: 2012-08-20

by: V. Paulikas

SEC Consult Vulnerability Lab




Vendor description:



"EMC Documentum eRoom is easy-to-use online team collaboration software that

enables distributed teams to work together more efficiently. With Documentum

eRoom, teams around the world can accelerate document collaboration and group

activities, improve the development and delivery of products and services,

optimize collaborative business processes, improve innovation, and streamline




Vulnerability overview/description:



Documentum eRoom suffers from multiple reflected cross-site scripting

vulnerabilities, which allow an attacker to steal other user's sessions,

to impersonate other users and to gain unauthorized access to documents

hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and

gather all available documents.


There are many parameters which are not properly sanitized and thus are

vulnerable to XSS.



Proof of concept:



1) The "Referer" header is not properly validated and is thus prone to reflected cross-site


POST /eRoomASP/Connect.asp?Ctxt=&ERClickInMap=FALSE&command=btnDefault&SessionKey= HTTP/1.1
Host: localhost
Referer: localhost/eRoomxss"><script>alert(document.cookie)</script>




2) The "User-Agent" header is not properly validated and is thus prone to reflected cross-site




GET /eRoomtest/diagVariables.asp HTTP/1.1
User-Agent: <script>alert(document.cookie)</script>
Host: localhost


Other vulnerable header fields include "Connection" and "Accept-Language".



Vendor contact timeline:


2012-10-09: Contacting vendor through

2012-10-09: Vendor forwarded information to product team

2012-10-31: Vendor investigates reported issues

2013-07-16: Vendor will release the fixes of the issues with 7.4.4 SP1 in early Q2 2014

2013-11-13: Coordinated release of advisory






Upgrade to EMC Documentum eRoom version 7.4.4 P11.



Advisory URL:





SEC Consult Vulnerability Lab


SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius



Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15


Mail: research at sec-consult dot com





EOF V. Paulikas / @2013