User is Able To Perform Unauthorized Operations In Flexcube. (Doc ID 2626668.1)

Last updated on JUNE 21, 2021

Applies to:

Oracle FLEXCUBE Universal Banking - Version 12.4.0.0.0 and later
Information in this document applies to any platform.

Symptoms

On : 12.4.0.0.0 version, Production Support-SET

User able to perform Unauthorized operations in Flexcube.
As part of Vulnerability Testing, A tester is able to override Flex Roles for a user and perform actions restricted for his role.

The following is the test steps:
User "XYZ" with "View-only" role signs in and accesses the following function: STDACCLO
Customer Accounts > Customer Account Maintenance > Account Address Locations >
The application displays the screen with only Enter Query enabled and New button is not displayed as the user is not authorized to created new records.
By following steps, user was able to save a new Location code
1) Click on Enter Query and enter location code and click on execute query.
2) modify the following POST parameter (Referer,Accept-Encoding,Accept-Language,Cookie)

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

Symptoms

Cause

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

User is Able To Perform Unauthorized Operations In Flexcube. (Doc ID 2626668.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!