8 matches found
CVE-2018-16957
Oracle WebCenter Interaction 10.3.3 search service’s queryd.exe is built with a hardcoded password (i1g2s3c4) used for authentication, and customers cannot customize this credential. A remote attacker could issue search queries over the network to exfiltrate large amounts of sensitive information...
CVE-2018-16958
Oracle WebCenter Interaction Portal 10.3.3 is affected. ASP.NET_SessionID cookie used with IIS/ASP.NET is not protected by HttpOnly, and customers cannot enable the attribute. This exposes the cookie to session hijacking if JavaScript runs in the portal origin. No explicit fix/mitigation is provi...
CVE-2018-16956
CVE-2018-16956 affects Oracle WebCenter Interaction Portal 10.3.3, specifically the AjaxControl component. The vulnerability arises because page rename requests do not validate the target page name, allowing characters unsupported by the web server (e.g., 0x7f) to be used. This can render renamed...
CVE-2018-16953
The CVE-2018-16953 entry affects Oracle WebCenter Interaction Portal 10.3.3. Specifically, the AjaxView::DisplayResponse() function in portalpages.dll reflects unsanitized user input from the name parameter in the server response, enabling reflected cross-site scripting (XSS). The vulnerability i...
CVE-2018-16954
Summary: CVE-2018-16954 affects Oracle WebCenter Interaction Portal 10.3.3. The login function does not validate the in_hi_redirect parameter, enabling an open redirect after successful login. This is due to insecure redirection in the login flow. The vulnerability’s exploitation details, affecte...
CVE-2018-16955
CVE-2018-16955 concerns Oracle WebCenter Interaction Portal 10.3.3. The vulnerability is a reflected cross-site scripting (XSS) in the login function: the content of the in_hi_redirect parameter, when prefixed with https://, is unsafely reflected into an HTML META tag in the HTTP response. This i...
CVE-2018-16959
An observed vulnerability in Oracle WebCenter Interaction Portal 10.3.3 arises from an insecure default User Profile configuration in the portal component. This allows anonymous users to retrieve the account names of portal users via /portal/server.pt/user/user/ requests. When WebCenter Interacti...
CVE-2018-16952
The CVE describes a CSRF design flaw in Oracle WebCenter Interaction Portal 10.3.3, where protection against CSRF is not implemented. This allows potential unauthorized actions in the portal, such as changing a user’s password. The issue is documented across multiple feeds (NVD, CVE listing, CNVD...