CVE-2018-16959

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
References
Link Resource
http://www.securityfocus.com/bid/105350 Third Party Advisory VDB Entry
https://seclists.org/fulldisclosure/2018/Sep/22 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/105350 Third Party Advisory VDB Entry
https://seclists.org/fulldisclosure/2018/Sep/22 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:webcenter_interaction:10.3.3:*:*:*:*:*:*:*

History

21 Nov 2024, 03:53

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/105350 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/105350 - Third Party Advisory, VDB Entry
References () https://seclists.org/fulldisclosure/2018/Sep/22 - Mailing List, Third Party Advisory () https://seclists.org/fulldisclosure/2018/Sep/22 - Mailing List, Third Party Advisory

Information

Published : 2018-09-18 02:29

Updated : 2024-11-21 03:53


NVD link : CVE-2018-16959

Mitre link : CVE-2018-16959

CVE.ORG link : CVE-2018-16959


JSON object : View

Products Affected

oracle

  • webcenter_interaction
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor