CVE-2012-1737

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2012-1737 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The original article can be found at: http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
The information has been provided by Esteban Martinez Fayo .

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2012-1737

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.3 (and previous patchsets)

SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.

There are multiple SQL Injection vulnerabilities in components of SQL Tunning Sets that can be abused to perform attacks to execute SQL statements with elevated privileges. The SQL Injection can be exploited by convincing the Oracle Enterprise Manager user to click on a malicious link or visit a web site with malicious content (Cross-site request forgery attack).

Impact:
An attacker that convinces an Oracle Enterprise Manager user to click or open a malicious link can impersonate the user and execute SQL statements.

CVE Information:
CVE-2012-1737

Disclosure Timeline:
Vendor Notification - 5/30/2011
Vendor Response - 6/10/2011
Fix - 7/17/2012
Public Disclosure - 10/04/2012

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus