CVE-2007-3860

Severity

75%

Complexity

99%

Confidentiality

106%

Unspecified vulnerability in Oracle Application Express (formerly Oracle HTML DB) 2.2.0.00.32 up to 3.0.0.00.20 allows developers to have an unknown impact via unknown attack vectors, aka APEX01. NOTE: a reliable researcher states that this is SQL injection in the wwv_flow_security.check_db_password function due to insufficient checks for '"' characters.

Unspecified vulnerability in Oracle Application Express (formerly Oracle HTML DB) 2.2.0.00.32 up to 3.0.0.00.20 allows developers to have an unknown impact via unknown attack vectors, aka APEX01. NOTE: a reliable researcher states that this is SQL injection in the wwv_flow_security.check_db_password function due to insufficient checks for '"' characters.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Oracle

First reported 17 years ago

2007-07-18 19:30:00

Last updated 6 years ago

2018-10-15 21:31:00

Affected Software

Oracle Application Express 2.2.0.00.32

2.2.0.00.32

Oracle APEX HTMLDB

References

SSRT061201

26114

Vendor Advisory

26166

2901

http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_July_2007_Analysis.pdf

http://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html

http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html

http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html

20070718 Oracle Security: SQL Injection in APEX CHECK_DB_PASSWORD

1018415

TA07-200A

US Government Resource

ADV-2007-2562

ADV-2007-2635

oracle-cpu-july2007(35490)

oracle-apex-sql-injection(35499)

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.