My Oracle Support Banner

Vulnerability To Delete Any Attachments (Doc ID 2830864.1)

Last updated on JANUARY 03, 2022

Applies to:

Oracle Financial Services Transaction Filtering - Version 8.0.8.1.0 and later
Information in this document applies to any platform.

Goal

In security assessment testing Un-authorized user is able to delete the attachments in alerts by "docId" 

 

Steps to reproduce ::

1. Login to TF Analyst

2. Assign alerts to the user

3. Click on attach and attach the supporting documents

4. Delete the attachments. 

 

Expected Behavior:

Only Authorized user should delete the attachments in alerts by "docId"

Actual result :

User whose permissions have not been verified strictly and can delete attachments by any "docId"

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.