CRLF Injection Vulnerability in Oracle Portal Products
CVE-2006-6697

Currently unrated

Key Information:

Vendor: Oracle
Status: Application Server Portal
Vendor: CVE Published:; 22 December 2006

What is CVE-2006-6697?

A CRLF injection vulnerability exists within the calendar.jsp file of Oracle Portal 10g and prior versions, which allows remote attackers to inject arbitrary HTTP headers. This can result in HTTP response splitting attacks, potentially leading to security exploits such as session hijacking, cache poisoning, and cross-site scripting (XSS). Proper validation and sanitization of user inputs, particularly within the 'enc' parameter, are crucial for safeguarding against such vulnerabilities.

References

http://securityreason.com/securityalert/2057

third-party-advisoryx_refsource_SREASON

http://www.securityfocus.com/archive/1/454965/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://marc.info/?l=full-disclosure&m=116664018702238&w=2

mailing-listx_refsource_FULLDISC

EPSS Score

34% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2006
Vulnerability Reserved
Dec 21, 2006