SAINT CorporationSAINT:51313E084E91D4BD502A6221ABA87C32Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Control Vulnerability
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.971 High
EPSS
Percentile
99.8%
Added: 08/19/2013
CVE: CVE-2013-1559
BID: 59122
OSVDB: 92386
Background
Oracle WebCenter Content is an open platform that allows users to create a vast range of content management applications. It consolidates unstructured content from across diverse systems so it can be centrally managed and then exposes it from within desktop productivity tools, business applications, and mobile devices.
Problem
Oracle WebCenter Content Server contains a flaw in the **CheckOutAndOpen.dll** ActiveX control which is triggered when user-controlled input is passed to the openWebdav method. An attacker who persuades a vulnerable user to open a specially crafted web page could execute arbitrary code in the context of the user.
Resolution
Apply the update referenced in Oracle Critical Patch Update Advisory - April 2013.
References
<http://www.zerodayinitiative.com/advisories/ZDI-13-094/>
Limitations
This exploit was tested against Oracle WebCenter Content 11.1.1.6.0 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
The user must open the exploit in Internet Explorer 8 or 9.
Platforms
Windows
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.971 High
EPSS
Percentile
99.8%