Multiple vulnerabilities in Oracle Financial Services Applications
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 43 |
| CVE-ID | CVE-2017-3495 CVE-2017-3499 CVE-2017-3555 CVE-2017-3556 CVE-2017-3230 CVE-2017-3528 CVE-2017-3517 CVE-2017-3621 CVE-2017-3625 CVE-2017-3553 CVE-2017-3547 CVE-2017-3549 CVE-2017-3550 CVE-2017-3337 CVE-2017-3393 CVE-2017-3432 CVE-2017-3604 CVE-2017-3493 CVE-2017-3472 CVE-2017-3476 CVE-2017-3485 CVE-2017-3491 CVE-2017-3488 CVE-2017-3534 CVE-2017-3496 CVE-2017-3492 CVE-2017-3484 CVE-2017-3489 CVE-2017-3288 CVE-2017-3478 CVE-2017-3479 CVE-2017-3482 CVE-2017-3475 CVE-2017-3471 CVE-2017-3480 CVE-2017-3535 CVE-2017-3494 CVE-2017-3483 CVE-2017-3473 CVE-2017-3481 CVE-2017-3477 CVE-2017-3490 CVE-2017-3487 |
| CWE-ID | CWE-264 CWE-200 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #12 is available. |
| Vulnerable software |
Oracle FLEXCUBE Direct Banking Other software / Other software solutions Oracle FLEXCUBE Private Banking Other software / Other software solutions Oracle FLEXCUBE Universal Banking Other software / Other software solutions Oracle FLEXCUBE Investor Servicing Other software / Other software solutions Oracle Social Network Mobile applications / Apps for mobile phones Oracle E-Business Suite Web applications / E-Commerce systems Oracle Fusion Middleware Client/Desktop applications / Office applications PeopleSoft Enterprise PeopleTools Client/Desktop applications / Office applications JD Edwards EnterpriseOne Tools Client/Desktop applications / Software for system administration Sun ZFS Storage Appliance Kit Server applications / Application servers Oracle Berkeley DB Universal components / Libraries / Libraries used by multiple products Oracle FLEXCUBE Enterprise Limits and Collateral Management Web applications / Remote management & hosting panels |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 43 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU11588
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3495
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle FLEXCUBE Direct Banking component due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain access to a subset of Oracle FLEXCUBE Direct Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Direct Banking: 12.0.2 - 12.0.3
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_direct_banking:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_direct_banking:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU11589
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3499
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Social Network component due to improper information control. A remote attacker can gain unauthorized access to critical data or complete access to all accessible data.
Update to version 11.1.12.0.0.
Vulnerable software versionsOracle Social Network: 11.1.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU11590
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3555
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Oracle iReceivables component due to improper access control. A remote attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.1 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU11591
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3556
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Application Object Library component due to improper information control. A remote attacker can gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.3 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU11592
Risk: Low
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3230
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information, modify arbitrary data and cause DoS condition on the target system.
The weakness exists in the Oracle Fusion Middleware MapViewer component due to improper access control. A remote attacker can gain access to potentially sensitive information, create, delete or modify arbitrary data and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle Fusion Middleware: 11.1.1.9.0 - 12.2.1.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.2.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU11593
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-3528
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Applications Framework component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to potentially sensitive information and update, insert or delete arbitrary data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.3 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.4:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Improper access control
EUVDB-ID: #VU11594
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3517
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.
The weakness exists in the JD Edwards EnterpriseOne Tools component due to improper access control. A remote attacker can gain access to potentially sensitive information and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsJD Edwards EnterpriseOne Tools: 9.2
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU11595
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3621
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Sun ZFS Storage Appliance Kit (AK) component due to improper access control. A remote attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsSun ZFS Storage Appliance Kit: AK 2013
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU11596
Risk: Low
CVSSv4.0: 4.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3625
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle WebCenter Content component due to improper access control. A remote attacker can trick the victim into opening specially crafted input, gain access to critical data or complete access to all accessible data as well as unauthorized update and insert or delete arbitrary files.
Install update from vendor's website.
Vulnerable software versionsOracle Fusion Middleware: 11.1.1.7.0 - 12.2.1.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_fusion_middleware:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_fusion_middleware:12.2.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper access control
EUVDB-ID: #VU11597
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3553
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists to due improper access control. A remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOracle Fusion Middleware: 11.1.2.3.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper access control
EUVDB-ID: #VU11598
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3547
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.
The weakness exists in the PeopleSoft Enterprise PeopleTools component due to improper access control. A remote attacker can trick the victim into opening specially crafted input, create, delete or modify critical data or all accessible data.
Install update from vendor's website.
Vulnerable software versionsPeopleSoft Enterprise PeopleTools: 8.54 - 8.55
CPE2.3- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper access control
EUVDB-ID: #VU11599
Risk: Low
CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-3549
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information or write arbitrary files on the target system.
The weakness exists in the Oracle Scripting component due to improper access control. A remote attacker can gain access to critical data or complete access to all accessible data and create, delete or modify critical data or all accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.1 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Improper access control
EUVDB-ID: #VU11600
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3550
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Customer Interaction History component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.1 - 12.1.3
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Improper access control
EUVDB-ID: #VU11601
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3337
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Marketing component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.1 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper access control
EUVDB-ID: #VU11602
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3393
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Advanced Outbound Telephony component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.2.3 - 12.2.6
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.2.5:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper access control
EUVDB-ID: #VU11603
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3432
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle One-to-One Fulfillment component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle E-Business Suite: 12.1.1 - 12.1.3
CPE2.3- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper access control
EUVDB-ID: #VU11604
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3604
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists in the Data Store component due to improper access control. A local attacker can execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 6.2.32.
Vulnerable software versionsOracle Berkeley DB: 11.2.5.0.32 - 12.1.6.2.32
CPE2.3- cpe:2.3:a:oracle:oracle_berkeley_db:11.2.5.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_berkeley_db:11.2.5.1.29:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_berkeley_db:11.2.5.2.42:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Security restrictions bypass
EUVDB-ID: #VU12212
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:U/U:Clear]
CVE-ID: CVE-2017-3493
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and unauthorized ability to partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Security restrictions bypass
EUVDB-ID: #VU12213
Risk: Low
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3472
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Private Banking accessible data and gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 2.0.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Security restrictions bypass
EUVDB-ID: #VU12214
Risk: Low
CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3476
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Private Banking accessible data and update, insert or delete access to some of Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 2.0.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Security restrictions bypass
EUVDB-ID: #VU12215
Risk: Low
CVSSv4.0: 2.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3485
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Universal Banking accessible data and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 11.3.0 - 12.2.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU12216
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3491
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Security restrictions bypass
EUVDB-ID: #VU12217
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3488
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Investor Servicing accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Investor Servicing: 12.0.1 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Information disclosure
EUVDB-ID: #VU12218
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3534
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 12.0.1 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Security restrictions bypass
EUVDB-ID: #VU12219
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3496
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Security restrictions bypass
EUVDB-ID: #VU12220
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3492
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Security restrictions bypass
EUVDB-ID: #VU12221
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3484
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Security restrictions bypass
EUVDB-ID: #VU12222
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3489
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicingaccessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Investor Servicing: 12.0.1 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Security restrictions bypass
EUVDB-ID: #VU12223
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3288
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicing accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Investor Servicing: 12.0.1 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Security restrictions bypass
EUVDB-ID: #VU12224
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3478
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Security restrictions bypass
EUVDB-ID: #VU12225
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3479
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 2.0.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Security restrictions bypass
EUVDB-ID: #VU12226
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3482
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Universal Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 12.0.0 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.2:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Security restrictions bypass
EUVDB-ID: #VU12227
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3475
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 2.0.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Security restrictions bypass
EUVDB-ID: #VU12228
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3471
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Information disclosure
EUVDB-ID: #VU12229
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3480
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 11.3.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Information disclosure
EUVDB-ID: #VU12230
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3535
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 11.3.0 - 12.0.3
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Information disclosure
EUVDB-ID: #VU12231
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3494
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 11.3.0 - 12.0.3
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Information disclosure
EUVDB-ID: #VU12232
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3483
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A local attacker can gain unauthorized read access to critical data and all of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Information disclosure
EUVDB-ID: #VU12233
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3473
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 2.0.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:2.2.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Security restrictions bypass
EUVDB-ID: #VU12234
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3481
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 11.3.0 - 12.0.1
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.1:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Security restrictions bypass
EUVDB-ID: #VU12236
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3477
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Universal Banking: 12.0.0
Oracle FLEXCUBE Private Banking: 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_universal_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Information disclosure
EUVDB-ID: #VU12237
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3490
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_enterprise_limits_and_collateral_management:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) Security restrictions bypass
EUVDB-ID: #VU12238
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3487
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.
The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicing accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Investor Servicing: 12.0.1 - 12.3.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_investor_servicing:12.0.3:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
