|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-07-16 | |
| Rule Name: | EXPLOIT Oracle Data Quality LoaderWizard DataPreview Type Confusion Vulnerability (CVE-2015-0446) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Data Quality. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the TSS12.LoaderWizard.lwctrl ActiveX control. The DataPreview method does not validate the type of data passed to it, instead treating any object passed in as if it were the expected type. An attacker could leverage this to execute arbitrary code in the context of the browser. 11.1.1.7.0 and previous versions are affected. | |
| Impact: | A remote attacker can exploit this vulnerability by enticing a user to access a maliciously crafted webpage. This can lead to arbitrary code execution in the context of the affected user. | |
| Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
| Reference: | ZeroDayInitiative:ZDI-15-103 http://cwe.mitre.org/data/definitions/822.html |
|
| Solutions |
|---|
| Upgrade to version 11.1.1.7.0. |