CVE-2018-3237
https://notcve.org/view.php?id=CVE-2018-3237
Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Support Cart). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Applications Manager accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/105620 http://www.securitytracker.com/id/1041897 •
CVE-2018-3235
https://notcve.org/view.php?id=CVE-2018-3235
Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: None). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/105620 http://www.securitytracker.com/id/1041897 •
CVE-2018-2996
https://notcve.org/view.php?id=CVE-2018-2996
Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Oracle Diagnostics Interfaces). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/104837 http://www.securitytracker.com/id/1041309 •
CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se deserializa, puede ejecutar código arbitrario. It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. • https://github.com/pimps/CVE-2017-5645 http://www.openwall.com/lists/oss-security/2019/12/19/2 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/97702 http://www.securitytracker.com/id/1040200 http://www.securit • CWE-502: Deserialization of Untrusted Data •
CVE-2016-9488 – ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9488
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries. ManageEngine Applications Manager en versiones 12 y 13 anteriores al build 13200 sufre de vulnerabilidades de inyección SQL remota. Un atacante no autenticado puede acceder a la URL /servlet/MenuHandlerServlet, que es vulnerable a la inyección SQL. • https://www.exploit-db.com/exploits/48692 http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html http://seclists.org/fulldisclosure/2017/Apr/9 http://www.securityfocus.com/bid/97394 https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •