It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Vulnerability in the Siebel Core - Automation product of Oracle Siebel CRM (component: Test Automation     (Eclipse Jetty)). Supported versions that are affected are 21.9 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel Core -     Automation. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Siebel Core - Automation. (CVE-2021-28165)

  - Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI (Apache Tomcat)).
    Supported versions that are affected are 21.9 and prior. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful     attacks of this vulnerability can result in unauthorized access to critical data or complete access to all     Siebel UI Framework accessible data. (CVE-2021-25122)

  - Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI, SWSE (OpenSSL)).
    Supported versions that are affected are 21.9 and prior. Easily exploitable vulnerability allows     unauthenticated attacker with network access via TLS to compromise Siebel UI Framework. Successful attacks     of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel     UI Framework accessible data. (CVE-2016-2183)

  - Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing (Apache     Tomcat)). Supported versions that are affected are 21.9 and prior. Difficult to exploit vulnerability     allows low privileged attacker with logon to the infrastructure where Siebel Apps - Marketing executes to     compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of     Siebel Apps - Marketing. (CVE-2020-9484)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Oracle WebCenter Sites component of Oracle Fusion Middleware is affected by multiple vulnerabilities.

  - Component: WebCenter Sites (Terracotta Quartz Scheduler)). The supported   versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable   vulnerability allows unauthenticated attacker with network access via HTTP to   compromise Oracle WebCenter Sites. Successful attacks of this vulnerability   can result in takeover of Oracle WebCenter Sites. (CVE-2019-13990)

  - Component: WebCenter Sites (XStream)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows low privileged attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in takeover of Oracle WebCenter Sites. (CVE-2021-29505)

  - Component: WebCenter Sites (dojo)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows unauthenticated attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in unauthorized creation, deletion or modification access to critical data or   all Oracle WebCenter Sites accessible data. (CVE-2020-5258)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Vulnerability in the Zero Downtime DB Migration to Cloud component of Oracle Database Server. The     supported version that is affected is 21c. Easily exploitable vulnerability allows high privileged     attacker having Local Logon privilege with logon to the infrastructure where Zero Downtime DB Migration to     Cloud executes to compromise Zero Downtime DB Migration to Cloud. While the vulnerability is in Zero     Downtime DB Migration to Cloud, attacks may significantly impact additional products. Successful attacks     of this vulnerability can result in takeover of Zero Downtime DB Migration to Cloud. (CVE-2021-35599)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are     12.1.0.2, 12.2.0.1, 19c and 21c. Difficult to exploit vulnerability allows low privileged attacker having     Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks     require human interaction from a person other than the attacker. Successful attacks of this vulnerability     can result in takeover of Java VM. (CVE-2021-35619)

  - Vulnerability in the Oracle LogMiner component of Oracle Database Server. Supported versions that are     affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker     having DBA privilege with network access via Oracle Net to compromise Oracle LogMiner. Successful attacks     of this vulnerability can result in unauthorized creation, deletion or modification access to critical     data or all Oracle LogMiner accessible data as well as unauthorized read access to a subset of Oracle     LogMiner accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of Oracle LogMiner. (CVE-2021-2332)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
212425	Oracle Siebel Server (October 2021 CPU)	Nessus	Misc.	high
154418	Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)	Nessus	Windows	critical
154332	Oracle Database Server Multiple Vulnerabilities (October 2021 CPU)	Nessus	Databases	critical

Detections

Analytics

CVE-2021-26272

medium

Tenable Plugins

high

critical

critical