Vulnerabilities for Webcenter interaction (...) - CXSECURITY.COM

Vulnerabilities for 'Webcenter interaction'

2018-09-17

CVE-2018-16959

CWE-200

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16958

CWE-732

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is exposed to session hijacking attacks should an adversary be able to execute JavaScript in the origin of the portal installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16957

CWE-798

The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service over a network could perform search queries to extract large quantities of sensitive information from the WCI installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16956

CWE-20

The AjaxControl component of Oracle WebCenter Interaction Portal 10.3.3 does not validate the names of pages when processing page rename requests. Pages can be renamed to include characters unsupported for URIs by the web server hosting the WCI Portal software (such as IIS). Renaming pages to include unsupported characters, such as 0x7f, prevents these pages from being accessed over the web server, causing a Denial of Service (DoS) to the page. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16955

CWE-79

The login function of Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). The content of the in_hi_redirect parameter, when prefixed with the https:// scheme, is unsafely reflected in a HTML META tag in the HTTP response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16954

CWE-601

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16953

CWE-79

The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

CVE-2018-16952

CWE-352

The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

>>> Vendor: Oracle 744 Products

Database server

Database assistant

Application server

Internet directory

E-business suite

Application server web cache

Corporate time outlook connector

Application server portal

Collaboration suite

Enterprise manager

Enterprise manager database control

Enterprise manager grid control

Database server lite

10g reports server

10g enterprise manager database control

Enterprise manager application server control

Peoplesoft enterprise

Peoplesoft enterprise customer relationship management

Application server discussion forum portlet

Peoplesoft enterprise portal

10g enterprise manager grid control

Developer suite

Collaboration suite 10g release 1

Peoplesoft enterprise tools

Rapid install web server

Peoplesoft enterprise human capital management

Peoplesoft enterprise peopletools

Secure enterprise search

Enterprise grid console server

Application server 9i

Application express

Application server 10g

E-business suite 11i

E-business suite 12

Peoplesoft hcm eperformance

Siebel enterprise

Bea product suite

Weblogic server

Webloic server component

Weblogic server component

Oracle portal component

Report manager component

Application object library

Advanced replication

Enterprise manager 10g

Instance management component

Advanced replication component

Oracle database

Oracle application server

Mobile application server

Times ten client server component

Times ten in memory database

Times ten client server

Spatial component

Data pump component

Authentication component

Advanced queuing component

Oracle applications technology stack component

Core rdbms component

Hyperion bi plus component

Database scheduler

Oracle http server component

Jd edwards enterpriseone

Peoplesoft peopletools component

Peoplesoft peopletools

Glassfish server

Jd edwards enterpriseone ep

Weblogic workshop

Timesten in-memory database

Enterprise manager grid control 10g

See all Products for Vendor Oracle

Copyright 2024, cxsecurity.com