CVE-2018-16959

Name of the Vulnerable Software and Affected Versions Oracle WebCenter Interaction Portal version 10.3.3

Description An issue was discovered in the portal component of Oracle WebCenter Interaction Portal, which is delivered with an insecure default User Profile community configuration. This configuration allows anonymous users to retrieve the account names of all portal users via the "/portal/server.pt/user/user/" endpoint. When synchronized with Active Directory (AD), this issue can expose the account names of all AD users.

Recommendations For Oracle WebCenter Interaction Portal version 10.3.3, consider restricting access to the "/portal/server.pt/user/user/" endpoint to prevent anonymous users from retrieving account names. Additionally, review and modify the default User Profile community configuration to enhance security. At the moment, there is no information about a newer version that contains a fix for this vulnerability.