Professional Documents
Culture Documents
ONAPSIS Advisory 2018 020 SVS00612 Oracle E Business Suite Stored Cross Site Script
ONAPSIS Advisory 2018 020 SVS00612 Oracle E Business Suite Stored Cross Site Script
By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users
connected to the system.
Advisory Information
Public Release Date: 5/24/2018
Security Advisory ID: ONAPSIS-2018-020
Onapsis SVS ID: 00612
CVE: CVE-2017-10325
Researcher: Martin Doyhenard
Vendor Provided CVSS v3: 8.2 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)
Onapsis CVSS v3: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)
Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com
Vulnerability Information
Vendor: Oracle
Affected Components: Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6,
12.2.7
Oracle Common Applications Calendar (Applications Calendar)
Vulnerability Class: CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
Remotely Exploitable: Yes
Locally Exploitable: No
Authentication Required: No
Vulnerability Details
A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has
parameters which are not validated nor encoded.
Solution
Implement the patch from the Oracle Critical Patch Update released on October 2017 or later.
Report Timeline
4/21/2017 Onapsis provides vulnerability information to Oracle.
10/17/2017 Oracle releases the Critical Patch Update in October 2017 fixing the
vulnerability.
5/24/2018 Onapsis releases the security advisory.
2|Page
Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com
3|Page
Onapsis Security Advisory | Advisory Title
info@onapsis.com | www.onapsis.com
• Have released over 150 SAP and Oracle Security Advisories to-date
• Are responsible for reporting more than 500 SAP and Oracle vulnerabilities to-date including over 100 for SAP HANA
• Regularly deliver research on the top 10 attack vectors affecting SAP Business Objects, SAP HANA, SAP Mobile, SAP
ABAP, J2EE Portals, Oracle JD Edwards and Oracle E-Business Suite
Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-
Critical Systems and Applications,” which describes certain algorithms and capabilities behind the
technology powering the Onapsis Security Platform™. This patented technology is well known, industry
wide, and has gained Onapsis recognition on the Deloitte Technology Top 500, as a Red Herring North
America Top 100 company and a SINET 16 Innovator.
For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.
4|Page