Four security vulnerabilities have been discovered in Demantra, part of Oracle's Value Chain Planning suite of software.
London-based security research firm Portcullis discovered the security flaws, which could allow an attacker to steal sensitive information, carry out phishing attacks, and change content within the application itself, among other types of attack.
The first vulnerability, which Portcullis titles 'Stored cross-site scripting in Oracle Demantra', enables attackers to obtain active HTML or script code executed in an authenticated user's browser.
"Cross-site scripting may be used to perform attacks such as session hijacking by invoking the user's browser to send information stored in their cookies (such as a session identification token) to an arbitrary location controlled by the attacker," wrote Portcullis securiry researcher Oliver Gruskovnjak on the firm's site.
"Furnished with this information the attacker could immediately access the site, masquerading as the authenticated user who viewed the page containing the malicious code. The attacker would then be able to perform actions as the authorised user, subject to their role, which could include viewing sensitive data, modifying profile information and making transactions," he added.
The second vulnerability: 'SQL injection in Oracle Demantra', enables an attacker to manipulate queries being sent to the database.
Groskovnjak explained that this could result in hackers being able to extract sensitive information, including (but not limited to) authentication credentials and personal details.
"Such information could be sold by the attacker to other malicious individuals, used in other attacks (as the same password is often used across systems) or released publicly to damage the organisation's reputation," wrote Gruskovnjak.
Hackers could also use this flaw to modify content within the application.
"If this was possible, the attacker could add malicious code to the application, which could then be used to deliver malware or exploit issues within client browsers," Groskovnjak warned.
The third vulnerability: 'Reflective cross-site scripting in Oracle Demantra', enables attackers to get active HTML or script code executed in an authenticated user's browser.
The final flaw is dubbed 'Arbitrary file retrival in Oracle Demantra'. In this instance, Portcullis discovered a Local File Include (LFI) vulnerability. A file inclusion vulnerability occurs when a file from the target system is injected into a page on the attacked server page.
Groskovnjak explained that impact can differ based on the exploitation and the read permission of the web server user.
"Depending on these factors an attacker might carry out one or more of the following attacks:
- Harvest useful information from the web.xml configuration file.
- Download the whole web application source code like the vulnerable page itself," he concluded.