Oracle Commerce Guided Search 11.3.2 Framework/Experience Manager cross-site request forgery

A vulnerability, which was classified as very critical, has been found in Oracle Commerce Guided Search 11.3.2. Affected by this issue is an unknown functionality of the component Framework/Experience Manager. Upgrading eliminates this vulnerability. The upgrade is hosted for download at github.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Field07/20/2022 08:15 AM08/06/2022 07:17 PM08/06/2022 07:24 PM
identifierOracle Critical Patch Update Advisory - July 2022Oracle Critical Patch Update Advisory - July 2022Oracle Critical Patch Update Advisory - July 2022
date1658181600 (07/19/2022)1658181600 (07/19/2022)1658181600 (07/19/2022)
nameUpgradeUpgradeUpgrade
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore10.010.010.0
cvss2_vuldb_tempscore8.78.78.7
cvss3_vuldb_basescore9.89.89.8
cvss3_vuldb_tempscore9.49.49.4
cvss3_meta_basescore9.89.89.8
cvss3_meta_tempscore9.49.49.6
price_0day$25k-$100k$25k-$100k$25k-$100k
vendorOracleOracleOracle
nameCommerce Guided SearchCommerce Guided SearchCommerce Guided Search
cveCVE-2019-17495CVE-2019-17495CVE-2019-17495
componentFramework/Experience ManagerFramework/Experience ManagerFramework/Experience Manager
risk333
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
version11.3.211.3.211.3.2
cvss3_vuldb_rcCCC
cvss3_vuldb_rlOOO
urlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html
date1658181600 (07/19/2022)1658181600 (07/19/2022)1658181600 (07/19/2022)
upgrade_urlhttps://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11
cve_assigned1570658400 (10/10/2019)1570658400 (10/10/2019)
cve_nvd_summaryA Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cvss2_nvd_basescore7.5
cvss3_nvd_basescore9.8
cwe00352 (cross-site request forgery)
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH

Want to stay up to date on a daily basis?

Enable the mail alert feature now!