Detections
Analytics
Oracle WebCenter Content 'GET_SEARCH_RESULTS' SQL Injection
medium Nessus Plugin ID 57980
Language:
Synopsis
The remote host is affected by a SQL injection vulnerability.Description
The Oracle WebCenter Content install on the remote host does not properly sanitize the 'SortField', 'SortOrder', and 'QueryText' parameters of the 'GET_SEARCH_RESULTS' IDC service. An attacker can exploit this flaw to launch SQL injection attacks which could lead to authentication bypass, disclosure of sensitive information, and attacks against the underlying database.Solution
See the Oracle advisory for information on obtaining and applying bug fix patches.See Also
http://www.nessus.org/u?9f19d081
https://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Plugin Details
Severity: Medium
ID: 57980
File Name: oracle_webcenter_content_idcplg_sql_injection.nasl
Version: 1.8
Type: remote
Family: CGI abuses
Published: 2/16/2012
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
Vulnerability Information
CPE: cpe:/a:oracle:fusion_middleware
Required KB Items: installed_sw/Oracle WebCenter Content
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 1/18/2012
Vulnerability Publication Date: 1/18/2012
Reference Information
CVE: CVE-2012-0083
BID: 51451