SB2014040112 - Multiple vulnerabilities in Dell VPLEX GeoSynchrony
Published: April 1, 2014 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2014-0633)
The vulnerability allows a remote #AU# to execute arbitrary code.
The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not properly validate session-timeout values, which might make it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation.
2) Input validation error (CVE-ID: CVE-2014-0634)
The vulnerability allows a remote #AU# to read and manipulate data.
EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
3) Improper Authentication (CVE-ID: CVE-2014-0635)
The vulnerability allows a remote #AU# to read, manipulate or delete data.
Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.
4) Path traversal (CVE-ID: CVE-2014-0632)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3. A remote authenticated attacker can send a specially crafted HTTP request and remote authenticated users to execute arbitrary code via unspecified vectors.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.