A vulnerability has been found in Oracle WebCenter Portal 12.2.1.3.0/12.2.1.4.0 (Content Management System) and classified as very critical. Affected by this vulnerability is some unknown processing of the component Portlet Services. The manipulation with an unknown input leads to a remote code execution vulnerability. The CWE definition for the vulnerability is CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was presented 10/20/2020 as Oracle Critical Patch Update Advisory - October 2020. It is possible to read the advisory at oracle.com. This vulnerability is known as CVE-2020-10683. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 11/22/2020).

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Productinfo

Type

• Content Management System

Vendor

• Oracle

Name

• WebCenter Portal

Version

• 12.2.1.3.0
• 12.2.1.4.0

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion