SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle E-Business Suite Vendors:   Oracle
Oracle E-Business Suite Multiple Flaws Let Remote Users Access and Modify Data and Let Local Users Gain Elevated Privileges on the Target System
SecurityTracker Alert ID:  1041309
SecurityTracker URL:  http://securitytracker.com/id/1041309
CVE Reference:   CVE-2018-2934, CVE-2018-2953, CVE-2018-2954, CVE-2018-2988, CVE-2018-2991, CVE-2018-2993, CVE-2018-2994, CVE-2018-2995, CVE-2018-2996, CVE-2018-2997, CVE-2018-3008, CVE-2018-3012, CVE-2018-3017, CVE-2018-3018   (Links to External Site)
Date:  Jul 18 2018
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle E-Business Suite. A remote user can access and modify data on the target system. A local user can obtain elevated privileges on the target system.

A remote user can exploit a flaw in the Oracle CRM Technical Foundation Preferences component to access and partially modify data [CVE-2018-2993, CVE-2018-3017].

A remote user can exploit a flaw in the Oracle iStore Shopping Cart component to access and partially modify data [CVE-2018-2995, CVE-2018-3018].

A remote user can exploit a flaw in the Oracle Marketing User Interface component to access and partially modify data [CVE-2018-3008].

A remote user can exploit a flaw in the Oracle One-to-One Fulfillment Print Server component to access and partially modify data [CVE-2018-2953].

A remote user can exploit a flaw in the Oracle Scripting Script Author component to access and partially modify data [CVE-2018-2997].

A remote user can exploit a flaw in the Oracle Trade Management User Interface component to access and partially modify data [CVE-2018-2991, CVE-2018-3012].

A remote user can exploit a flaw in the Oracle Applications Manager Oracle Diagnostics Interfaces component to access data [CVE-2018-2996].

A local user can exploit a flaw in the Oracle Order Management Product Diagnostic Tools component to gain elevated privileges [CVE-2018-2954].

A remote user can exploit a flaw in the Oracle Marketing Products component to access and partially modify data [CVE-2018-2988].

A remote user can exploit a flaw in the Oracle Application Object Library Attachments / File Upload component to partially modify data [CVE-2018-2934].

A remote user can exploit a flaw in the Oracle iStore Shopping Cart component to partially access data [CVE-2018-2994].

Adam Willard, Amin Moralic of Pure Hacking, Andre Lenoir of Tehtris, Linpei Sheng of 360 Enterprise Security Group, Lokesh Sharma, Matthew Fulton of Pure Hacking, Nicolas Verdier of Tehtris, and Pawan Patil of Electronic Arts reported these vulnerabilities.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A local user can obtain elevated privileges on the target system.

Solution:   The vendor has issued a fix as part of the July 2018 Critical Patch Update.

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Vendor URL:  www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC