An Unauthenticated User can Access the Refer Functionality (Doc ID 2069764.1)

Last updated on JULY 27, 2017

Applies to:

Oracle iRecruitment - Version 12.1.3 and later
Information in this document applies to any platform.

Symptoms

On : 12.1.3 version, Candidate Self Service

ACTUAL BEHAVIOR
---------------
The application allows an unauthenticated user to access the refer functionality which should be accessible only to the authenticated user.

1. Search a job in the 'Job Search' page.
2. Copy the URL associated with the Job Name.
In the below URL replace the 'OAFunc' with 'page' parameter

https://xxx.com/OA_HTML/OA.jsp?OAFunc=IRC_VIS_VAC_DISPLAY&_ti=172495955&oapc=10&oas=Nf2xetLm9F1DJSyktEbMrw..

https://xxx.com/OA_HTML/OA.jsp?page=/oracle/apps/irc/candidateSearch/webui/AplReferPG&_ti=17249955&oapc=10&oas=Nf2xetLm9F1DJSyktEbMrw..


3. Add the Refer email id and send the email.
4. Login to the application (as posted user) and you receive the Job reference email.
 

EXPECTED BEHAVIOR
-----------------------
Unauthenticated user should not access the refer functionality.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:

1. Navigate to external job site
2. Search a job in the 'Job Search' page.
3. Copy the URL associated with the Job Name.
In the below URL replace the 'OAFunc' with 'page' parameter

https://xxx.com/OA_HTML/OA.jsp?OAFunc=IRC_VIS_VAC_DISPLAY&_ti=17249555&oapc=10&oas=Nf2xetLm9F1DJSyktEbMrw..

https://xxx.com/OA_HTML/OA.jsp?page=/oracle/apps/irc/candidateSearch/webui/AplReferPG&_ti=1724955&oapc=10&oas=Nf2xetLm9F1DJSyktEbMrw..
4. Add the Refer email id and sent the mail.
5. Login to the application (as posted user) and you would have received Job reference mail

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms