XML External Entity Vulnerability in Oracle E-Business Suite
CVE-2016-0456

Currently unrated

Key Information:

Vendor: Oracle
Status: E-business Suite
Vendor: CVE Published:; 21 January 2016

What is CVE-2016-0456?

An unspecified vulnerability in the Application Management Pack for E-Business Suite component in Oracle E-Business Suite versions 12.1 and 12.2 exposes the system to potential risks related to XML External Entity (XXE) attacks. Attackers could exploit this vulnerability via crafted DTDs in XML requests directed at the OA_HTML/copxmllcmservicecontroller.js endpoint, leading to unauthorized access to sensitive files, denial of service conditions, or even server-side request forgery (SSRF) attacks. This vulnerability has raised concerns regarding confidentiality and the integrity of information processed by affected systems.

References

http://www.oracle.com/technetwork/topics/security/cpujan2...

x_refsource_CONFIRM

http://www.securitytracker.com/id/1034726

vdb-entryx_refsource_SECTRACK

https://erpscan.io/advisories/erpscan-16-006-oracle-e-bus...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2016
Vulnerability Reserved
Dec 9, 2015