Main Vulnerability Database SB2014041713

SB2014041713 - Input validation error in Oracle Identity Manager

Published: April 17, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014041713

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2014-2880)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.

Remediation

Install update from vendor's website.

References

http://packetstormsecurity.com/files/125992/Oracle-Identity-Manager-11g-R2-SP1-Unvalidated-Redirect.html
http://www.exploit-db.com/exploits/32670
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.osvdb.org/105384
http://www.securityfocus.com/bid/66615