My Oracle Support Banner

Vulnerability To Delete Any Attachments (Doc ID 2830864.1)

Last updated on JUNE 27, 2023

Applies to:

Oracle Financial Services Transaction Filtering - Version and later
Information in this document applies to any platform.


In security assessment testing Un-authorized user is able to delete the attachments in alerts by "docId" 


Steps to reproduce ::

1. Login to TF Analyst

2. Assign alerts to the user

3. Click on attach and attach the supporting documents

4. Delete the attachments. 


Expected Behavior:

Only Authorized user should delete the attachments in alerts by "docId"

Actual result :

User whose permissions have not been verified strictly and can delete attachments by any "docId"


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.