Oracle Commerce Guided Search 11.3.2 Content Acquisition System xml external entity reference

A vulnerability classified as very critical was found in Oracle Commerce Guided Search 11.3.2. Affected by this vulnerability is an unknown function of the component Content Acquisition System. Upgrading eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Field07/20/2022 08:15 AM08/06/2022 07:02 PM08/06/2022 07:09 PM
vendorOracleOracleOracle
nameCommerce Guided SearchCommerce Guided SearchCommerce Guided Search
cveCVE-2020-10683CVE-2020-10683CVE-2020-10683
componentContent Acquisition SystemContent Acquisition SystemContent Acquisition System
risk333
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
version11.3.211.3.211.3.2
cvss3_vuldb_rcCCC
cvss3_vuldb_rlOOO
urlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html
date1658181600 (07/19/2022)1658181600 (07/19/2022)1658181600 (07/19/2022)
identifierOracle Critical Patch Update Advisory - July 2022Oracle Critical Patch Update Advisory - July 2022Oracle Critical Patch Update Advisory - July 2022
date1658181600 (07/19/2022)1658181600 (07/19/2022)1658181600 (07/19/2022)
nameUpgradeUpgradeUpgrade
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore10.010.010.0
cvss2_vuldb_tempscore8.78.78.7
cvss3_vuldb_basescore9.89.89.8
cvss3_vuldb_tempscore9.49.49.4
cvss3_meta_basescore9.89.89.8
cvss3_meta_tempscore9.49.49.6
price_0day$25k-$100k$25k-$100k$25k-$100k
patch_urlhttps://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
upgrade_urlhttps://github.com/dom4j/dom4j/releases/tag/version-2.1.3https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
cve_assigned1584658800 (03/20/2020)1584658800 (03/20/2020)
cve_nvd_summarydom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
cwe00611 (xml external entity reference)
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cvss2_nvd_basescore7.5
cvss3_nvd_basescore9.8

Want to stay up to date on a daily basis?

Enable the mail alert feature now!