Oracle Application Server Portal vulnerabilities

5 known vulnerabilities affecting oracle/application_server_portal.

Total CVEs

5

CISA KEV

0

Public exploits

3

Exploited in wild

0

Severity breakdown

HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2008-2138MEDIUMCVSS 5.0PoCv10g2008-05-12

CVE-2008-2138 [MEDIUM] CWE-264 CVE-2008-2138: Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access re Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that request. NOTE: as of 20080512, Oracle has not commented on the accuracy o

CVE-2006-6699MEDIUMCVSS 5.0v9.0.22006-12-23

CVE-2006-6699 [MEDIUM] CVE-2006-6699: Multiple CRLF injection vulnerabilities in Oracle Portal 9.0.2 and possibly other versions allow rem Multiple CRLF injection vulnerabilities in Oracle Portal 9.0.2 and possibly other versions allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the enc parameter to (1) calendarDialog.jsp or (2) fred.jsp. NOTE: the calendar.jsp vector is covered by CVE-2006-6697.

CVE-2006-6697HIGHCVSS 7.5PoCv9.0.2v10g2006-12-22

CVE-2006-6697 [HIGH] CVE-2006-6697: CRLF injection vulnerability in webapp/jsp/calendar.jsp in Oracle Portal 10g and earlier, including CRLF injection vulnerability in webapp/jsp/calendar.jsp in Oracle Portal 10g and earlier, including 9.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the enc parameter.

CVE-2004-1707HIGHCVSS 7.2PoCv3.0.9.8.5v9.0.2.3+2 more2004-07-30

CVE-2004-1707 [HIGH] CVE-2004-1707: The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix syste The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified libclntsh.so.9.0.

CVE-2003-1193HIGHCVSS 7.5v3.0.9.8.5v9.0.2.3+2 more2003-11-03

CVE-2003-1193 [HIGH] CVE-2003-1193: Multiple SQL injection vulnerabilities in the Portal DB (1) List of Values (LOVs), (2) Forms, (3) Hi Multiple SQL injection vulnerabilities in the Portal DB (1) List of Values (LOVs), (2) Forms, (3) Hierarchy, and (4) XML components packages in Oracle Oracle9i Application Server 9.0.2.00 through 3.0.9.8.5 allow remote attackers to execute arbitrary SQL commands via the URL.