Main Vulnerability Database SB2019011708

SB2019011708 - Arbitrary file upload in Oracle Siebel UI Framework

Published: January 17, 2019

Security Bulletin ID SB2019011708

Severity

Critical

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2018-9206)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists in the plugin's source code that handles file uploads to PHP servers due to software allows upload of arbitrary files to the system. A remote unauthenticated attacker can upload arbitrary .htaccess file to impose security restrictions to its upload folder and upload backdoors and web shells.

Note: The vulnerability has been actively exploited for at least 3 years.

Remediation

Install update from vendor's website.

References

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixEM