https://github.com/nahsra/antisamy/issues/10

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

105656

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

The 13.4.0.0 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the StorageTek Tape Analytics SW Tool product of Oracle Systems (component: Software     (dom4j)). The supported version that is affected is 2.3. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool.
    Successful attacks of this vulnerability can result in takeover of StorageTek Tape Analytics SW Tool.     (CVE-2020-10683)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Application Service Level Mgmt (OpenCV)). The supported version that is affected is 13.4.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than     the attacker. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base     Platform. (CVE-2019-5064)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:
    Discovery Framework (OpenSSL)). The supported version that is affected is 13.4.0.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise     Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. (CVE-2020-1971)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle E-Business Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.

  - A vulnerability exists in the Oracle Applications Framework product of Oracle E-Business Suite (component:
    Home page). The supported version that is affected is 12.2.10. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework.
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification     access to critical data or all Oracle Applications Framework accessible data as well as unauthorized     access to critical data or complete access to all Oracle Applications Framework accessible data.
    (CVE-2021-2200)

  - A vulnerability exists in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing     Administration). Supported versions that are affected are 12.2.7-12.2.10. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all Oracle Marketing accessible data as well as unauthorized access to critical data or     complete access to all Oracle Marketing accessible data. (CVE-2021-2205)

  - A vulnerability exists in the Oracle Email Center product of Oracle E-Business Suite (component: Message     Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Email     Center. While the vulnerability is in Oracle Email Center, attacks may significantly impact additional     products. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or     delete access to some of Oracle Email Center accessible data. (CVE-2021-2209)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Oracle Flow Builder (Jython)).   Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1 and 13.3.0.1.   Easily exploitable vulnerability allows unauthenticated attacker with network   access via HTTP to compromise Oracle Application Testing Suite. Successful attacks    of this vulnerability can result in takeover of Oracle Application Testing Suite.   (CVE-2016-4000)	

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Jython).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite. (CVE-2016-4000)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Apache POI).  An unauthenticated, remote attacker with network     access via HTTP to compromise Oracle Application Testing Suite and cause the process to hang     or frequently repeatable crash (complete DOS). (CVE-2017-12626)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (AntiSamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (Antisamy).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2017-14735)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Application Development Framework).  An unauthenticated, remote attacker with network     access via HTTP can result in takeover of Oracle Application Testing Suite. (CVE-2019-2904)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder (jQuery).  An unauthenticated, remote attacker with network     access via HTTP who is able to obtain human interaction can impact additional products and result in     an unauthorized update, insert, or delete access to some accessible data as well as unauthorized     read access to a subset of accessible data. (CVE-2019-11358)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Load Testing for Web Apps (Apache POI).  An authenticated, low priviledged remote attacker     with network access to the infrastructure can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2019-12415)

  - An unspecified vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager     subcomponent Oracle Flow Builder.  An unauthenticated remote attacker     with network access via HTTP can result in unauthorized access to critical data or    complete access to all Oracle Application Testing Suite accessible data. (CVE-2020-2673)

ID	Name	Product	Family	Severity
151903	Oracle Enterprise Manager Cloud Control (Jul 2021 CPU)	Nessus	Misc.	critical
148952	Oracle E-Business Suite Multiple Vulnerabilities (April 2021 CPU)	Nessus	Misc.	high
133260	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Misc.	critical

CVE-2017-14735

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

critical