CVE-2018-16958

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is exposed to session hijacking attacks should an adversary be able to execute JavaScript in the origin of the portal installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
References
Link Resource
http://www.securityfocus.com/bid/105350 Third Party Advisory VDB Entry
https://seclists.org/fulldisclosure/2018/Sep/22 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/105350 Third Party Advisory VDB Entry
https://seclists.org/fulldisclosure/2018/Sep/22 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:webcenter_interaction:10.3.3:*:*:*:*:*:*:*

History

21 Nov 2024, 03:53

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/105350 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/105350 - Third Party Advisory, VDB Entry
References () https://seclists.org/fulldisclosure/2018/Sep/22 - Mailing List, Third Party Advisory () https://seclists.org/fulldisclosure/2018/Sep/22 - Mailing List, Third Party Advisory

Information

Published : 2018-09-18 02:29

Updated : 2024-11-21 03:53


NVD link : CVE-2018-16958

Mitre link : CVE-2018-16958

CVE.ORG link : CVE-2018-16958


JSON object : View

Products Affected

oracle

  • webcenter_interaction
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource