ID CVE-2016-3533
Summary Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Search. NOTE: the previous information is from the July 2016 CPU. Oracle has not commented on third-party claims that this issue involves multiple open redirect vulnerabilities, which allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
References
Vulnerable Configurations
  • Oracle Knowledge Management 12.1.1
    cpe:2.3:a:oracle:knowledge_management:12.1.1
  • Oracle Knowledge Management 12.1.2
    cpe:2.3:a:oracle:knowledge_management:12.1.2
  • Oracle Knowledge Management 12.1.3
    cpe:2.3:a:oracle:knowledge_management:12.1.3
  • Oracle Knowledge Management 12.2.3
    cpe:2.3:a:oracle:knowledge_management:12.2.3
  • Oracle Knowledge Management 12.2.4
    cpe:2.3:a:oracle:knowledge_management:12.2.4
  • Oracle Knowledge Management 12.2.5
    cpe:2.3:a:oracle:knowledge_management:12.2.5
CVSS
Base: 4.3 (as of 12-08-2016 - 11:22)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
NASL family Misc.
NASL id ORACLE_E-BUSINESS_CPU_JUL_2016.NASL
description The version of Oracle E-Business installed on the remote host is missing the July 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Wireless Framework subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3491) - An unspecified flaw exists in the Function Security subcomponent within the Customer Interaction History component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3512) - An unspecified flaw exists in the AOL diagnostic tests subcomponent within the Application Object Library component that allows an authenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3520) - An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3522) - An unspecified flaw exists in the Application Service subcomponent within the Web Applications Desktop Integrator component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3523) - An unspecified flaw exists in the Configuration subcomponent within the Applications Technology Stack component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3524) - An unspecified flaw exists in the Cookie Management subcomponent within the Applications Manager component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3525) - An unspecified flaw exists in the Expenses Admin Utilities subcomponent within the Internet Expenses component that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3528) - An unspecified flaw exists in the SDK client integration subcomponent within the Advanced Inbound Telephony component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3532) - An unspecified flaw exists in the Search subcomponent within the Knowledge Management component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3533) - An unspecified flaw exists in the Engineering Change Order subcomponent within the Installed Base component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3534) - An unspecified flaw exists in the Remote Launch subcomponent within the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3535) - An unspecified flaw exists in the Deliverables subcomponent within the Marketing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3536) - An unspecified flaw exists in the Notes subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3541) - An unspecified flaw exists in the Search/Browse subcomponent within the Knowledge Management component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3542) - An unspecified flaw exists in the Tasks subcomponent within the Common Applications Calendar component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3543) - An unspecified flaw exists in the Web based help screens subcomponent within the Application Object Library component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3545) - An unspecified flaw exists in the Report JSPs subcomponent within the Advanced Collections component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-3546) - An unspecified flaw exists in the Content Manager subcomponent within the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3547) - An unspecified flaw exists in the Marketing activity collateral subcomponent within the Marketing component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3548) - An unspecified flaw exists in the Search Integration Engine subcomponent within the E-Business Suite Secure Enterprise Search component that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3549) - Multiple unspecified flaws exist in the Email Center Agent Console subcomponent within the Email Center component that allow an unauthenticated, remote attacker to impact integrity. (CVE-2016-3558, CVE-2016-3559)
last seen 2019-02-21
modified 2018-07-16
plugin id 92461
published 2016-07-20
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=92461
title Oracle E-Business Multiple Vulnerabilities (July 2016 CPU)
refmap via4
bid
  • 91787
  • 91909
confirm http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
misc https://www.onapsis.com/blog/oracle-fixes-record-276-vulnerabilities-july-2016
sectrack 1036403
Last major update 28-11-2016 - 15:10
Published 21-07-2016 - 06:13
Last modified 31-08-2017 - 21:29
Back to Top