Vulnerability To Delete Any Attachments
(Doc ID 2830864.1)
Last updated on JANUARY 03, 2022
Applies to:Oracle Financial Services Transaction Filtering - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
In security assessment testing Un-authorized user is able to delete the attachments in alerts by "docId"
Steps to reproduce ::
1. Login to TF Analyst
2. Assign alerts to the user
3. Click on attach and attach the supporting documents
4. Delete the attachments.
Only Authorized user should delete the attachments in alerts by "docId"
Actual result :
User whose permissions have not been verified strictly and can delete attachments by any "docId"
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document