CVE-2016-0489

Name of the Vulnerable Software and Affected Versions Oracle Enterprise Manager Grid Control versions 12.4.0.2 through 12.5.0.2

Description The issue affects confidentiality, integrity, and availability. It is related to the Test Manager for Web Apps in the Oracle Application Testing Suite component. There are claims that this is a directory traversal vulnerability in the ActionServlet servlet, allowing remote authenticated users to upload and execute arbitrary files via directory traversal sequences in the tempfilename parameter in a ReportImage action.

Recommendations For versions 12.4.0.2 and 12.5.0.2, consider restricting access to the ActionServlet servlet to minimize the risk of exploitation. Avoid using the tempfilename parameter in the ReportImage action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.