Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2020 CPU)

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the October 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including the following:

• dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. (CVE-2020-10683)

• A vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching, CacheStore, Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2555)

• xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (CVE-2019-10173)

• A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted protected comment (with the cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application’s self-reported version number.