Vulnerability To Delete Any Attachments
(Doc ID 2830864.1)
Last updated on JUNE 27, 2023
Applies to:
Oracle Financial Services Transaction Filtering - Version 8.0.8.1.0 and laterInformation in this document applies to any platform.
Goal
In security assessment testing Un-authorized user is able to delete the attachments in alerts by "docId"
Steps to reproduce ::
1. Login to TF Analyst
2. Assign alerts to the user
3. Click on attach and attach the supporting documents
4. Delete the attachments.
Expected Behavior:
Only Authorized user should delete the attachments in alerts by "docId"
Actual result :
User whose permissions have not been verified strictly and can delete attachments by any "docId"
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |