CVE-2016-3438

Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that that this issue involves multiple cross-site scripting (XSS) vulnerabilities, which allow remote attackers to inject arbitrary web script or HTML via three unspecified parameters in an unknown JSP file.

Published: Apr 21, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-3438
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
oracle / configurator	12.1	12.1.x
oracle / configurator	12.2	12.2.x

http://onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-cve-2016-3438
http://packetstormsecurity.com/files/138564/Oracle-E-Business-Suite-12.2-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2016/Aug/136
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.securitytracker.com/id/1035591

Vulnerability Database

CVE-2016-3438

Deep Security Visibility Without the Complexity