CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
99.4%
Added: 07/17/2012
CVE: CVE-2012-0549
BID: 53077
OSVDB: 81439
Oracle AutoVue Enterprise Visualization is a suite of Oracle products designed to deliver a web-based capability to access, view, digitally annotate and collaborate on technical and business documents, without requiring specialized computer-aided design (CAD) tools. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards and integrated circuits.
The SetMarkupMode method of an ActiveX control provided by Oracle AutoVue does not properly sanitize its input parameters. If a user with this control installed were to visit a malicious web site, this vulnerability could be exploited to gain code execution on the victim’s system.
Apply the updates detailed in the Oracle April 2012 CPU. Or, set the kill bit for **AutoVueX.ocx**
ActiveX control associated with **CLSID {B6FCC215-D303-11D1-BC6C-0000C078797F}**
.
http://secunia.com/advisories/48875/
http://dvlabs.tippingpoint.com/advisory/TPTI-12-05
This exploit has been tested against Oracle AutoVue 20.0.2 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). The HTML page must be opened using Internet Explorer 8 or 9 on the target. JRE 6 must be installed on Windows 7.
Windows