Re: [Full-disclosure] CVE-2014-5877 - Local File Inclusion in Oracle Demantra

[Portcullis Advisories <advisories@xxxxxxxxxxxxxxxxxxxxxxx>]

Apologies, the CVE-ID for this advisory is actually CVE-2013-5877

On 28/02/14 15:16, Portcullis Advisories wrote:
> Vulnerability title: Local File Inclusion in Oracle Demantra
> CVE: CVE-2014-5877
> Vendor: Oracle
> Product: Demantra
> Affected version: 12.2.1
> Fixed version: 10.1.1.2
> Reported by: Oliver Gruskovnjak
>
> Details:
>
> A Local File Include (LFI) vulnerability has been discovered in Oracle
> Demantra. The vulnerability occurs when a file from the target system
> is injected into a page on the attacked server page.
>         
> The vulnerable page is:
> * /demantra/GraphServlet
>
>
> Further details at:
> https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5877/
>
>
> Copyright:
> Copyright (c) Portcullis Computer Security Limited 2014, All rights
> reserved worldwide. Permission is hereby granted for the electronic
> redistribution of this information. It is not to be edited or altered
> in any way without the express written consent of Portcullis Computer
> Security Limited.
>
> Disclaimer:
> The information herein contained may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are NO warranties, implied or otherwise, with regard to this
> information or its use. Any use of this information is at the user's
> risk. In no event shall the author/distributor (Portcullis Computer
> Security Limited) be held liable for any damages whatsoever arising
> out of or in connection with the use or spread of this information. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/