SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Oracle E-Business Suite Vendors:   Oracle
Oracle E-Business Suite Multiple Flaws Let Remote Users Access Data and Lets Remote Authenticated Users Modify Data
SecurityTracker Alert ID:  1041897
SecurityTracker URL:  http://securitytracker.com/id/1041897
CVE Reference:   CVE-2018-2971, CVE-2018-3011, CVE-2018-3138, CVE-2018-3151, CVE-2018-3167, CVE-2018-3188, CVE-2018-3189, CVE-2018-3190, CVE-2018-3196, CVE-2018-3235, CVE-2018-3236, CVE-2018-3237, CVE-2018-3242, CVE-2018-3243, CVE-2018-3244, CVE-2018-3256   (Links to External Site)
Date:  Oct 16 2018
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle E-Business Suite. A remote user can access data on the target system. A remote authenticated user can modify data on the target system.

A remote user can exploit a flaw in the Oracle Application Object Library Attachments / File Upload component to access and partially modify data [CVE-2018-3138].

A remote user can exploit a flaw in the Oracle Applications Framework component to access and partially modify data [CVE-2018-3243].

A remote user can exploit a flaw in the Oracle Applications Manager component to access and partially modify data [CVE-2018-3235].

A remote user can exploit a flaw in the Oracle Customer Interaction History Outcome-Result component to access and partially modify data [CVE-2018-3189].

A remote user can exploit a flaw in the Oracle E-Business Intelligence Overview Page/Report Rendering component to access and partially modify data [CVE-2018-3190].

A remote user can exploit a flaw in the Oracle iStore Web interface component to access and partially modify data [CVE-2018-3188].

A remote user can exploit a flaw in the Oracle Marketing Marketing Administration component to access and partially modify data [CVE-2018-3242].

A remote user can exploit a flaw in the Oracle Partner Management Partner Dashboard component to access and partially modify data [CVE-2018-3196].

A remote user can exploit a flaw in the Oracle Trade Management User Interface component to access and partially modify data [CVE-2018-3011].

A remote user can exploit a flaw in the Oracle iProcurement E-Content Manager Catalog component to access data [CVE-2018-3151].

A remote authenticated user can exploit a flaw in the Oracle User Management Reports component to access and modify data [CVE-2018-3236].

A remote user can exploit a flaw in the Application Management Pack for Oracle E-Business Suite User Monitoring component to partially access data [CVE-2018-3167].

A remote user can exploit a flaw in the Oracle Application Object Library Attachments / File Upload component to partially modify data [CVE-2018-3244].

A remote user can exploit a flaw in the Oracle Applications Manager Support Cart component to partially access data [CVE-2018-3237].

A remote user can exploit a flaw in the Oracle Email Center Message Display component to partially modify data [CVE-2018-3256].

A remote authenticated user can exploit a flaw in the Oracle Applications Framework REST Services component to partially access data [CVE-2018-2971].

Andrej Simko of Accenture (also via iDefense Labs), Jayson Grace of Sandia National Laboratories, John Moss of IRM Security, Liam Glanfield of IRM Security, and Lokesh Sharma reported these vulnerabilities.

Impact:   A remote user can obtain data on the target system.

A remote authenticated user can modify data on the target system.

Solution:   The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2018.

The vendor advisory is available at:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Vendor URL:  www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC