Comments Are Added to narrative Without Needing To Authenticate from post request
(Doc ID 2918221.1)
Last updated on JANUARY 02, 2023
Applies to:
Oracle Financial Services Enterprise Case Management - Version 8.0.7 and laterInformation in this document applies to any platform.
Symptoms
At "-API/fccm/CMServlet", system allows adding comments in every selected Case ID without needing to authenticate with field: caseID={caseID}&narrative={something comment} &userId=SYSTEM&FunctionName=CMNarrative&actionID=7&infodom=FCCMIN FO
Changes
Posting the comments using POST request with the parameter in addNarrative and CMNarrativeSave function.
Below are the steps to replicate the issue.
1.Login to the application and navigate to Case search->Narrative tab.
2.Add comments to Narrative field and Capture the POST request of adding comments on Narrative field.
3.Logout of the Application.
4.Now update the comment as well tamper the cookie value to any junk value from the captured POST request(Step 2)
5.Now login to the Application.
6.Observe that the comments are updated from Step 3 even if the user is not logged in.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |