CVE-2013-3770

2013-07-1713:41:16

[email protected]

web.nvd.nist.gov

cve-2013-3770

oracle

webcenter content

fusion middleware

unspecified vulnerability

confidentiality

integrity

remote authenticated users

idoc script injection

content server

urm

sensitive files

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

4.9 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

72.5%

JSON

Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Content Server. NOTE: the previous information is from the October 2013 CPU. Oracle has not commented on claims from a third party that the issue is related to “iDoc script injection” in the (1) cs and (2) urm components, which allows attackers to read “sensitive” files, as demonstrated by obtaining the “AES encryption key and encrypted credentials” of the weblogic user.

Affected configurations

NVD

Node

oraclefusion_middlewareMatch10.1.3.5.1

oraclefusion_middlewareMatch11.1.1.6.0

oraclefusion_middlewareMatch11.1.1.7.0

CPENameOperatorVersion
oracle:fusion_middlewareoracle fusion middlewareeq10.1.3.5.1
oracle:fusion_middlewareoracle fusion middlewareeq11.1.1.6.0
oracle:fusion_middlewareoracle fusion middlewareeq11.1.1.7.0

CPE	Name	Operator	Version
oracle:fusion_middleware	oracle fusion middleware	eq	10.1.3.5.1
oracle:fusion_middleware	oracle fusion middleware	eq	11.1.1.6.0
oracle:fusion_middleware	oracle fusion middleware	eq	11.1.1.7.0