Session Hijacking Vulnerability in Oracle WebCenter Interaction Portal
CVE-2018-16958

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Webcenter Interaction
Vendor: CVE Published:; 18 September 2018

Summary

A vulnerability has been identified in Oracle WebCenter Interaction Portal 10.3.3, where the ASP.NET_SessionID primary session cookie lacks the HttpOnly attribute when deployed on Internet Information Services (IIS) with ASP.NET. This oversight leaves the session cookie vulnerable to interception through JavaScript execution in the context of the portal installation, enabling potential session hijacking attacks by malicious actors. It is important to note that this vulnerability cannot be mitigated by customers, as the HttpOnly attribute cannot be enabled, further emphasizing the need for increased awareness and security measures in organizations using this unsupported product.

References

https://seclists.org/fulldisclosure/2018/Sep/22

x_refsource_MISC

http://www.securityfocus.com/bid/105350

vdb-entryx_refsource_BID

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 18, 2018
Vulnerability Reserved
Sep 12, 2018