CVE-2018-16958

Name of the Vulnerable Software and Affected Versions Oracle WebCenter Interaction Portal version 10.3.3

Description A security issue exists where the ASP.NET SessionID primary session cookie is not protected with the HttpOnly attribute when Internet Information Services (IIS) with ASP.NET is used. This exposes the cookie to session hijacking attacks if an adversary can execute JavaScript in the origin of the portal installation.

Recommendations For Oracle WebCenter Interaction Portal version 10.3.3, consider restricting access to sensitive areas of the portal to minimize the risk of session hijacking until a more permanent solution can be found. At the moment, there is no information about a newer version that contains a fix for this vulnerability.