Popup Window Vulnerability in Oracle E-Business Suite by Oracle
CVE-2017-3528

5.4MEDIUM

Key Information:

Vendor
Oracle
Status
Applications Framework
Vendor
CVE Published:
24 April 2017

Summary

A vulnerability exists in the Oracle Applications Framework component of Oracle E-Business Suite, specifically within the handling of popup windows such as lists of values and datepickers. This vulnerability permits an unauthenticated attacker with network access via HTTP to potentially compromise the Oracle Applications Framework. Successful exploitation hinges on human interaction from a user, rather than direct access by the attacker. The implications of such an attack can lead to unauthorized modifications, including the ability to update, insert, or delete data accessible through Oracle Applications Framework. The affected versions include 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, making it crucial for organizations using these versions to ensure their security measures are up to date.

Affected Version(s)

Applications Framework 12.1.3

Applications Framework 12.2.3

Applications Framework 12.2.4

References

https://www.exploit-db.com/exploits/43592/
exploitx_refsource_EXPLOIT-DB
http://www.oracle.com/technetwork/security-advisory/cpuap...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/97780
vdb-entryx_refsource_BID

EPSS Score

46% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.