Lucene search

K
zdiJoxean KoretZDI-07-058
HistoryOct 31, 2007 - 12:00 a.m.

Oracle E-Business Suite SQL Injection Vulnerability

2007-10-3100:00:00
Joxean Koret
www.zerodayinitiative.com
9

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

82.9%

This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists in the okxLOV.jsp page in the Administration console. This page allows an attacker to specify arguments to a WHERE SQL command without sanitation, allowing for arbitrary SQL injection in the context of the APPS user.

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

82.9%

Related for ZDI-07-058