CVE-2018-16959

Published: Sep 18, 2018Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

Affected (1)

Products: Oracle: Webcenter Interaction

1 product

Webcenter Interaction

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Webcenter Interaction	Version 10.3.3

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

http://www.securityfocus.com/bid/105350

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://seclists.org/fulldisclosure/2018/Sep/22

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/105350

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://seclists.org/fulldisclosure/2018/Sep/22

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.