Security restrictions bypass in Oracle Communications Applications
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-2756 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Oracle Communications Order and Service Management Web applications / Remote management & hosting panels |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Security restrictions bypass
EUVDB-ID: #VU11991
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2756
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Communications Order and Service Management component of Oracle Communications Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, gain unauthorized access to critical data or complete access to all Oracle Communications Order and Service Management accessible data and unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Order and Service Management: 7.2.4.3.0 - 7.3.5.0
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
