User is Able To Perform Unauthorized Operations In Flexcube.
(Doc ID 2626668.1)
Last updated on JUNE 21, 2021
Applies to:Oracle FLEXCUBE Universal Banking - Version 188.8.131.52.0 and later
Information in this document applies to any platform.
On : 184.108.40.206.0 version, Production Support-SET
User able to perform Unauthorized operations in Flexcube.
As part of Vulnerability Testing, A tester is able to override Flex Roles for a user and perform actions restricted for his role.
The following is the test steps:
User "XYZ" with "View-only" role signs in and accesses the following function: STDACCLO
Customer Accounts > Customer Account Maintenance > Account Address Locations >
The application displays the screen with only Enter Query enabled and New button is not displayed as the user is not authorized to created new records.
By following steps, user was able to save a new Location code
1) Click on Enter Query and enter location code and click on execute query.
2) modify the following POST parameter (Referer,Accept-Encoding,Accept-Language,Cookie)
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document