My Oracle Support Banner

Comments Are Added to narrative Without Needing To Authenticate from post request (Doc ID 2918221.1)

Last updated on JANUARY 02, 2023

Applies to:

Oracle Financial Services Enterprise Case Management - Version 8.0.7 and later
Information in this document applies to any platform.


At "-API/fccm/CMServlet", system allows adding comments in every selected Case ID without needing to authenticate with field: caseID={caseID}&narrative={something comment} &userId=SYSTEM&FunctionName=CMNarrative&actionID=7&infodom=FCCMIN FO


Posting the comments using POST request with the parameter in addNarrative and CMNarrativeSave function.

Below are the steps to replicate the issue.

1.Login to the application and navigate to Case search->Narrative tab.

2.Add comments to Narrative field and Capture the POST request of adding comments on Narrative field.

3.Logout of the Application.

4.Now update the comment as well tamper the cookie value to any junk value from the captured POST request(Step 2)

5.Now login to the Application.

6.Observe that the comments are updated from Step 3 even if the user is not logged in.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.