Arbitrary Code Execution Vulnerability in Oracle Forms by Oracle
CVE-2005-2372

Currently unrated

Key Information:

Vendor: Oracle
Status: Forms
Vendor: CVE Published:; 26 July 2005

What is CVE-2005-2372?

Oracle Forms versions 4.5 through 10g contain a security flaw that allows attackers to execute arbitrary code. This can be achieved by uploading a malicious .fmx file that the attacker can reference using absolute pathname arguments in either the form or module parameters to the f90servlet. This vulnerability permits unauthorized command execution by running form executables from arbitrary directories with System or Oracle user privileges, creating significant security risks for affected systems.

References

http://www.red-database-security.com/advisory/oracle_form...

x_refsource_MISC

http://marc.info/?l=bugtraq&m=112180805413784&w=2

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Jul 26, 2005
Vulnerability Reserved
Jul 26, 2005