Vulnerabilities > CVE-2005-2372 - Local Security vulnerability in Forms And Reports

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

oracle

NVD

Published: 2005-07-26

Updated: 2016-10-18

Summary

Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Forms 3.0 Oracle Forms 4.5 Oracle Forms 5.0 Oracle Forms 6.0 Oracle Forms 6I Oracle Forms 9I Oracle Forms 10G	7

References

http://marc.info/?l=bugtraq&m=112180805413784&w=2
http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html