{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-10T17:57:01.000Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "1033877", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033877"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"tags": ["x_refsource_MISC"], "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/77243"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2015-4849", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1033877", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033877"}, {"name": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"name": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/", "refsource": "MISC", "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "refsource": "BID", "url": "http://www.securityfocus.com/bid/77243"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:25:21.941Z"}, "title": "CVE Program Container", "references": [{"name": "1033877", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033877"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"name": "20151029 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"name": "20151030 [ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"name": "77243", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/77243"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2015-4849", "datePublished": "2015-10-21T23:00:00.000Z", "dateReserved": "2015-06-24T00:00:00.000Z", "dateUpdated": "2024-08-06T06:25:21.941Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "80B61990-9CC2-4215-9879-AC817F4E6767", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "4C6BAB4D-1DF5-4ECB-A07E-297A94664BBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "9E42C3CE-CA98-4C13-B41E-DF7A3FEC560F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "86D2B444-B8D8-4A3D-BCCA-3B5280F05A38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "0FDD0B52-77F6-4607-84F8-1BCF99DB1B23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability, which allows remote attackers to cause a denial of service or conduct SMB Relay attacks via a crafted DTD in an XML request to OA_HTML/IspPunchInServlet."}, {"lang": "es", "value": "Vulnerabilidad no especificada en el componente Oracle Payments en Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3 y 12.2.4 permite a atacantes remotos afectar a la confidencialidad, la integridad y la disponibilidad a trav\u00e9s de vectores desconocidos relacionados con Punch-in. NOTA: la informaci\u00f3n anterior es de la CPU de Octubre de 2015. Oracle no ha comentado sobre alegaciones de terceros que consideran que este problema es una vulnerabilidad de Entidad Externa XML (XXE), lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio o llevar a cabo ataques SMB Relay a trav\u00e9s de un DTD manipulado en una petici\u00f3n XML a OA_HTML/IspPunchInServlet."}], "id": "CVE-2015-4849", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-21T23:59:17.387", "references": [{"source": "secalert_us@oracle.com", "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"source": "secalert_us@oracle.com", "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/77243"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id/1033877"}, {"source": "secalert_us@oracle.com", "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/134118/Oracle-E-Business-Suite-12.1.3-XXE-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2015/Oct/112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/536789/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/77243"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1033877"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://erpscan.io/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}