PT-2012-4520 · Oracle · Oracle Reports Developer+1

Miss_Sudo

Published

2012-10-16

Updated

2025-03-13

CVE-2012-3153

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Oracle Fusion Middleware versions 11.1.1.4 through 11.1.2.0

Description The issue affects confidentiality and integrity, and it is related to the Servlet in the Oracle Reports Developer component. There are claims that the PARSEQUERY function allows remote attackers to obtain database credentials via the "reports/rwservlet/parsequery" endpoint.

Recommendations For Oracle Fusion Middleware versions 11.1.1.4 through 11.1.2.0, consider restricting access to the PARSEQUERY function and the "reports/rwservlet/parsequery" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2012-3153

Affected Products

Oracle Fusion Middleware

Oracle Reports Developer

PT-2012-4520 · Oracle · Oracle Reports Developer+1

CVE-2012-3153

Related Identifiers

Affected Products

References · 16