Lucene search
Tuan Anh Nguyen of Viettel Cyber SecurityZDI-20-1283HistoryOct 22, 2020 - 12:00 a.m.
Oracle E-Business Suite ozfVendorLov SQL Injection Information Disclosure Vulnerability
2020-10-2200:00:00
Tuan Anh Nguyen of Viettel Cyber Security
www.zerodayinitiative.com
127
oracle e-business suite
ozfvendorlov
sql injection
information disclosure
vulnerability
remote attackers
privileges escalation
authentication
validation
user-supplied string
sql queries
stored credentials
compromise
EPSS
0.021
Percentile
89.4%
This vulnerability allows remote attackers to escalate privileges on affected installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists within ozfVendorLov.jsp. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
Related
ubuntucve
ubuntucve
CVE-2020-14876
2020-10-21 00:00:00
cvelist
cvelist
CVE-2020-14876
2020-10-21 14:04:29
vulnrichment
vulnrichment
CVE-2020-14876
2020-10-21 14:04:29
prion
prion
Design/Logic Flaw
2020-10-21 15:15:00
cve
cve
CVE-2020-14876
2020-10-21 15:15:24
debiancve
debiancve
CVE-2020-14876
2020-10-21 15:15:24
nvd
nvd
CVE-2020-14876
2020-10-21 15:15:24
nessus
nessus
Oracle Oracle E-Business Suite (Oct 2020 CPU)
2020-10-22 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00