Oracle AutoVue Enterprise Visualization is a suite of Oracle products designed to deliver a web-based capability to access, view, digitally annotate and collaborate on technical and business documents, without requiring specialized computer-aided design (CAD) tools. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards and integrated circuits.
A file creation vulnerability exists in Oracle AutoVue ActiveX control. The vulnerability is due to an unrestricted
**sFileName** parameter in the ExportEdaBom() function, which can be used to create or overwrite any file on the system. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted web page.
Update Oracle AutoVue when a patch becomes available. As a workaround, set the kill bit for
**AutoVueX.ocx** ActiveX control associated with
Exploit works on Oracle AutoVue 20.0.2.
Target user must open the exploit file in Internet Explorer.