Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Oracle E-Business Suite Frame Injection (CVE-2017-3528)

Description

Oracle EBS "Popup windows" subcomponent allows a remote attacker to control the source of the frame. It can be used for phishing attacks.

Remediation

Upgrade to the latest version of Oracle E-Business Suite

References

Oracle Critical Patch Update Advisory - April 2017

Related Vulnerabilities

Cookies with Secure flag set over insecure connection

Httpoxy vulnerability

Django Debug Toolbar

WordPress plugin Custom Contact Forms critical vulnerability

RethinkDB administrative interface publicly exposed

Severity

Medium

Classification

CVE-2017-3528 CWE-601 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Configuration