PT-2007-6532 · Oracle · Oracle Text+2

Published

2007-10-17

Updated

2018-10-15

CVE-2007-5508

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Oracle Database versions 10.1.0.5 and 10.2.0.3

Description: The issue concerns SQL injection vulnerabilities in the CTXSYS Intermedia application for the Oracle Text component. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands via several procedures, including THEMES, GIST, TOKENS, FILTER, HIGHLIGHT, and MARKUP. Additionally, remote unauthenticated attack vectors exist when CTXSYS is used with Oracle Application Server.

Recommendations: For Oracle Database version 10.1.0.5, consider restricting access to the CTXSYS Intermedia application until a fix is available. For Oracle Database version 10.2.0.3, avoid using the vulnerable procedures THEMES, GIST, TOKENS, FILTER, HIGHLIGHT, and MARKUP in the CTXSYS Intermedia application until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2007-5508

Affected Products

Oracle Application Server

Oracle Database

Oracle Text

PT-2007-6532 · Oracle · Oracle Text+2

CVE-2007-5508

Weakness Enumeration

Related Identifiers

Affected Products

References · 15