CVE-2016-3438
Published on: 04/21/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:01 PM UTC
Certain versions of Configurator from Oracle contain the following vulnerability:
Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that that this issue involves multiple cross-site scripting (XSS) vulnerabilities, which allow remote attackers to inject arbitrary web script or HTML via three unspecified parameters in an unknown JSP file.
- CVE-2016-3438 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.2 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | LOW | NONE | REQUIRED | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
CHANGED | HIGH | LOW | NONE |
CVSS2 Score: 6.4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Oracle Critical Patch Update Advisory - April 2016 | Vendor Advisory www.oracle.com text/html |
![]() |
Oracle E-Business Suite 12.2 Cross Site Scripting ≈ Packet Storm | packetstormsecurity.com text/html |
![]() |
Oracle E-Business Suite Cross Site Scripting (XSS) CVE-2016-3438 | Onapsis | onapsis.com text/html |
![]() |
Oracle Supply Chain Products Suite Bugs Let Remote and Local Users Access and Modify Data and Deny Service - SecurityTracker | www.securitytracker.com text/html |
![]() |
Full Disclosure: Onapsis Security Advisory ONAPSIS-2016-018: Oracle E-Business Suite Cross Site Scripting (XSS) CVE-2016-3438 | seclists.org text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Oracle | Configurator | 12.1 | All | All | All |
Application | Oracle | Configurator | 12.2 | All | All | All |
Application | Oracle | Configurator | 12.1 | All | All | All |
Application | Oracle | Configurator | 12.2 | All | All | All |
- cpe:2.3:a:oracle:configurator:12.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:configurator:12.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:configurator:12.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:configurator:12.2:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE