Denial of Service Vulnerability in Oracle WebCenter Interaction Portal
CVE-2018-16956

6.5MEDIUM

Key Information:

Vendor: Oracle
Status: Webcenter Interaction
Vendor: CVE Published:; 18 September 2018

Summary

The AjaxControl component of Oracle WebCenter Interaction Portal 10.3.3 lacks proper validation of page names during rename requests. This flaw allows for pages to be renamed with unsupported characters, such as 0x7f. When renamed in this manner, these pages become inaccessible via the web server (e.g., IIS), resulting in a Denial of Service (DoS) condition. Importantly, Oracle has indicated that this product is no longer supported, and thus, the risk remains unaddressed.

References

https://seclists.org/fulldisclosure/2018/Sep/22

x_refsource_MISC

http://www.securityfocus.com/bid/105350

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 18, 2018
Vulnerability Reserved
Sep 12, 2018