Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-2880

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.8MEDIUM

EPSS

12.2%

top 6.17%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oracle Identity Manager

Timeline

PublishedApr 17

Latest updateMay 17

Description

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDoracle/identity_manager11.1.2.1.0

🔴Vulnerability Details

GHSA

GHSA-g4hf-25ch-pmvp: Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11↗2022-05-17

▶

CVEList

CVE-2014-2880: Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11↗2014-04-17

▶

💥Exploits & PoCs

Exploit-DB

Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects↗2014-04-03

▶