SQL Injection Vulnerability in Oracle APEX/HTMLDB WWV_FLOW_UTILITIES
CVE-2006-7138

Currently unrated

Key Information:

Vendor: Oracle
Status: Apex
Vendor: CVE Published:; 7 March 2007

What is CVE-2006-7138?

An SQL injection vulnerability exists in the wwv_flow_utilities.gen_popup_list function of the WWV_FLOW_UTILITIES package for Oracle APEX/HTMLDB. This vulnerability allows authenticated remote users to manipulate the P_LOV parameter, thereby executing arbitrary SQL commands by providing an appropriate MD5 checksum for the P_LOV_CHECKSUM parameter. As a result, attackers may exploit this flaw to gain unauthorized access to sensitive data or execute harmful commands within the database environment.

References

http://www.red-database-security.com/advisory/oracle_cpu_...

x_refsource_MISC

http://www.red-database-security.com/advisory/oracle_apex...

x_refsource_MISC

http://lists.grok.org.uk/pipermail/full-disclosure/2006-O...

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability published
Mar 7, 2007
Vulnerability Reserved
Mar 7, 2007