5.8

CVE-2018-16958

EPSS 0.21%
Veröffentlicht 18.09.2018 02:29:01
Zuletzt bearbeitet 21.11.2024 03:53:35
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is exposed to session hijacking attacks should an adversary be able to execute JavaScript in the origin of the portal installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Oracle ≫ Webcenter Interaction Version10.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.399

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

http://www.securityfocus.com/bid/105350

Third Party Advisory

VDB Entry

https://seclists.org/fulldisclosure/2018/Sep/22

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2018-16958

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-16958

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-16958

EUVD