CVE-2016-3438

Published on: 04/21/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:01 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Certain versions of Configurator from Oracle contain the following vulnerability:

Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that that this issue involves multiple cross-site scripting (XSS) vulnerabilities, which allow remote attackers to inject arbitrary web script or HTML via three unspecified parameters in an unknown JSP file.

  • CVE-2016-3438 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.2 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED HIGH LOW NONE

CVSS2 Score: 6.4 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL NONE

CVE References

Description Tags Link
Oracle Critical Patch Update Advisory - April 2016 Vendor Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
Oracle E-Business Suite 12.2 Cross Site Scripting ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/138564/Oracle-E-Business-Suite-12.2-Cross-Site-Scripting.html
Oracle E-Business Suite Cross Site Scripting (XSS) CVE-2016-3438 | Onapsis onapsis.com
text/html
URL Logo MISC onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-cve-2016-3438
Oracle Supply Chain Products Suite Bugs Let Remote and Local Users Access and Modify Data and Deny Service - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1035591
Full Disclosure: Onapsis Security Advisory ONAPSIS-2016-018: Oracle E-Business Suite Cross Site Scripting (XSS) CVE-2016-3438 seclists.org
text/html
URL Logo FULLDISC 20160830 Onapsis Security Advisory ONAPSIS-2016-018: Oracle E-Business Suite Cross Site Scripting (XSS) CVE-2016-3438

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOracleConfigurator12.1AllAllAll
ApplicationOracleConfigurator12.2AllAllAll
ApplicationOracleConfigurator12.1AllAllAll
ApplicationOracleConfigurator12.2AllAllAll
  • cpe:2.3:a:oracle:configurator:12.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:configurator:12.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:configurator:12.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:configurator:12.2:*:*:*:*:*:*:*: