Oracle WebCenter Sites Multiple Vulnerabilities (October 2012 CPU)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote host has software installed that is affected by multiple
vulnerabilities.

Description :

The remote Oracle WebCenter Sites install is missing patches from the
October 2012 CPU. As a result, it may be affected by multiple
vulnerabilities :

- A cross-site request forgery vulnerability exists that
can be triggered by tricking a victim into clicking an
image link on a specially crafted page. (CVE-2012-3185)

- A flaw in the UI Subcomponent could allow an
authenticated user the ability to alter the email
address information of other users. (CVE-2012-3183)

- The UI Subcomponent is affected by a cross-site
scripting vulnerability due to lack of sanitization for
the 'username' and 'StartItem' parameters.
(CVE-2012-3184)

- The 'selectedLocale' parameter in the UI Subcomponent is
not properly sanitized and allows SQL injection.
(CVE-2012-3186)

- The Oracle WebCenter Sites ImagePicket Subcomponent is
affected by an unspecified local vulnerability.
(CVE-2012-5065)

See also :

http://www.nessus.org/u?1cef09be

Solution :

Apply the appropriate patch according to the October 2012 Oracle
Critical Patch Update advisory.

Risk factor :

Medium / CVSS Base Score : 5.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 72778 ()

Bugtraq ID: 55968
55972
55980
55984
56001

CVE ID: CVE-2012-3183
CVE-2012-3184
CVE-2012-3185
CVE-2012-3186
CVE-2012-5065

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now