34 lines
1.5 KiB
YAML
34 lines
1.5 KiB
YAML
id: CVE-2017-3528
|
|
|
|
info:
|
|
name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
|
|
author: 0x_Akoko
|
|
severity: medium
|
|
description: 'The Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)) is impacted by open redirect issues in versions 12.1.3, 12.2.3,
|
|
12.2.4, 12.2.5 and 12.2.6. These easily exploitable vulnerabilities allow unauthenticated attackers with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction
|
|
from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result
|
|
in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data.'
|
|
reference:
|
|
- https://blog.zsec.uk/cve-2017-3528/
|
|
- https://www.exploit-db.com/exploits/43592
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-3528
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
|
cvss-score: 5.4
|
|
cve-id: CVE-2017-3528
|
|
cwe-id: CWE-601
|
|
tags: cve,cve2017,oracle,redirect
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'noresize src="/\example.com?configName='
|
|
part: body
|
|
|
|
# Enhanced by mp on 2022/04/14
|