Vulnerabilities > CVE-2005-2372 - Unspecified vulnerability in Oracle Forms

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

oracle

NVD

Published: 2005-07-26

Updated: 2024-11-20

Summary

Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Forms 6.0 Oracle Forms 3.0 Oracle Forms 4.5 Oracle Forms 6I Oracle Forms 9I Oracle Forms 10G Oracle Forms 5.0	7

References

http://marc.info/?l=bugtraq&m=112180805413784&w=2
http://marc.info/?l=bugtraq&m=112180805413784&w=2
http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html
http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html