#VU36864 Input validation error in Siebel UI Framework - CVE-2018-2959

Cybersecurity Help s.r.o.

Published: 2018-07-18 | Updated: 2020-08-08

Vulnerability identifier: #VU36864

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-2959

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Siebel UI Framework
Server applications / Frameworks for developing and running applications

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Vulnerability in the Siebel UI Framework component of Oracle Siebel CRM (subcomponent: UIF Open UI). The supported version that is affected is 18.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel UI Framework accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Siebel UI Framework: 18.0

External links
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104816

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Oracle Siebel UI Framework