Thousands of Oracle NetSuite Sites at Risk of Exposing Customer Information

2024-08-20 05:27

Cybersecurity researchers are warning about the discovery of thousands of externally-facing Oracle NetSuite e-commerce sites that have been found susceptible to leaking sensitive customer information.

"A potential issue in NetSuite's SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types," AppOmni's Aaron Costello said.

It's worth emphasizing here that the issue is not a security weakness in the NetSuite product, but rather a customer misconfiguration that can lead to leakage of confidential data.

The attack scenario detailed by AppOmni exploits CRTs that employ table-level access controls with the "No Permission Required" access type, which grants unauthenticated users access to data by making use of NetSuite's record and search APIs.

To mitigate the risk, it's recommended that site administrators tighten access controls on CRTs, set sensitive fields to "None" for public access, and consider temporarily taking impacted sites offline to prevent data exposure.

"The easiest solution from a security standpoint may involve changing the Access Type of the record type definition to either 'Require Custom Record Entries Permission' or 'Use Permission List,'" Costello said.

News URL

https://thehackernews.com/2024/08/thousands-of-oracle-netsuite-sites-at.html

#netsuite #oracle

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Oracle		973	1146	6140	1140	730	9156