CVE-2014-2880

Name of the Vulnerable Software and Affected Versions Oracle Fusion Middleware versions 11.1.1.5 through 11.1.2.2

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a URL in the backUrl parameter in a changepwd action to "identity/faces/firstlogin".

Recommendations For Oracle Fusion Middleware versions 11.1.1.5 through 11.1.2.2, consider restricting access to the changepwd action in the identity/faces/firstlogin endpoint to minimize the risk of exploitation. Avoid using the backUrl parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.