Vulnerability Details : CVE-2015-4854
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Single Signon. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is a cross-site scripting (XSS) vulnerability, which allows remote attackers to inject arbitrary web script or HTML via the Domain parameter in the CfgOCIReturn servlet.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-4854
- cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4854
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4854
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2015-4854
-
http://packetstormsecurity.com/files/134100/Oracle-E-Business-Suite-12.1.4-Cross-Site-Scripting.html
Oracle E-Business Suite 12.1.4 Cross Site Scripting ≈ Packet Storm
-
http://www.securityfocus.com/archive/1/536772/100/0/threaded
SecurityFocus
-
http://www.securityfocus.com/bid/77253
Oracle E-Business Suite CVE-2015-4854 Cross Site Scripting Vulnerability
-
http://seclists.org/fulldisclosure/2015/Oct/100
Full Disclosure: [ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability
-
https://erpscan.io/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/
[ERPSCAN-15-027] Oracle E-Business Suite - Cross-site Scripting vulnerability
-
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Oracle Critical Patch Update - October 2015Patch;Vendor Advisory
-
http://www.securitytracker.com/id/1033877
Oracle E-Business Suite Bugs Let Remote Users Partially Access Data, Modify Data, and Deny Service - SecurityTracker
Jump to