Key Vulnerability Information Summary Multiple vulnerabilities were discovered in Xythos Server Products, specifically in Xythos Enterprise Document Manager (XEDM) versions 5.0 and 6.0, and Xythos Digital Locker (XDL) version 6.0. These vulnerabilities could lead to stored and reflected XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) issues. Vulnerability Details Vulnerability #1: Persistent XSS and CSRF Vulnerability in a File Workflow Name XEDM's workflow feature permits users to include HTML, JavaScript, and other active content in the name of a saved workflow, allowing an attacker to gain control of the administrative interface. Vulnerability #2: Persistent XSS Vulnerability in a File Workflow Name Deleting a workflow template with active content can trigger an XSS payload. Vulnerability #3: Persistent XSS and CSRF Vulnerability in a File Content-Type Value Users can set arbitrary Content-Types which can lead to XSS and CSRF attacks when another user views the file's properties. Vulnerability #4: Reflected XSS Vulnerability in the File Upload Action Uploading a file with an active content filename can result in a reflected XSS attack. Vulnerability #5: Distributing Malicious Content due to Misleading URLs and User-Supplied File Content Types Users can distribute URLs linking to files with dangerous content. CVE Information CVE-2007-3254 - XSS (#1, #2, #3, #4) CVE-2007-3255 - CSRF (#1, #3) CVE-2007-3256 - Dangerous content type specification (#5) Recommendations Upgrade to XEDM/XDL version 5.0.25.8 or 6.0.46.1.