Vulnerability To Delete Any Attachments (Doc ID 2830864.1)

Last updated on JUNE 27, 2023

Applies to:

Oracle Financial Services Transaction Filtering - Version 8.0.8.1.0 and later
Information in this document applies to any platform.

In security assessment testing Un-authorized user is able to delete the attachments in alerts by "docId"

Steps to reproduce ::

1. Login to TF Analyst

2. Assign alerts to the user

3. Click on attach and attach the supporting documents

4. Delete the attachments.

Expected Behavior:

Only Authorized user should delete the attachments in alerts by "docId"

Actual result :

User whose permissions have not been verified strictly and can delete attachments by any "docId"

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

Goal

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.