Test ID:	1.3.6.1.4.1.25623.1.0.809731
Category:	Web application abuses
Title:	Oracle Application Testing Suite 12.4.0.2, 12.5.0.2 Multiple Vulnerabilities (cpujan2016) - Active Check
Summary:	Oracle Application Testing Suite is prone to multiple; vulnerabilities.
Description:	Summary: Oracle Application Testing Suite is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - An error in the UploadFileAction servlet when fileType parameter is set as '*'. - Errors within the 'isAllowedUrl' function which has a list of URI entries which do not require authentication. - An error within the ActionServlet servlet which bypasses authentication if the URI starts with a specific string. - Another error within ActionServlet servlet. - An error within the UploadServlet servletin the filename header. - An error within the DownloadServlet in the reportName parameter. - An error exists within the DownloadServlet n the repository, workspace, or scenario parameters. - An error within the DownloadServlet in the scriptName parameter if downloadType is specified as oseScript. - An error within the DownloadServlet servlet in TMAPReportImage where the downloadType is specified as TMAPReportImage. - An error within the DownloadServlet servlet in the scheduleReportName parameter where the downloadType is specified as scheduleTaskResults. - An error within the DownloadServlet servlet in file parameter where the downloadType is specified as subReport. - An error within the DownloadServlet servlet in the scriptPath parameter where the downloadType is specified as otmPkg. - An error within the DownloadServlet servlet in the reportName parameter where the downloadType is specified as OTMReport. - An error within the DownloadServlet servlet in exportFileName parameter where the downloadType is specified as OTMExportFile. Vulnerability Impact: Successful exploitation will allow remote attackers to bypass authentication, gain access to potentially sensitive files and execute arbitrary code on the affected system. Affected Software/OS: Oracle Application Testing Suite versions 12.4.0.2 and 12.5.0.2 are known to be affected. Other versions might be affected as well. Solution: Apply the update from the referenced advisory. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-0491 BugTraq ID: 81169 http://www.securityfocus.com/bid/81169 https://www.exploit-db.com/exploits/39691/ https://www.exploit-db.com/exploits/39852/ http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.html http://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_upload http://www.zerodayinitiative.com/advisories/ZDI-16-047 http://www.securitytracker.com/id/1034734 Common Vulnerability Exposure (CVE) ID: CVE-2016-0492 BugTraq ID: 81158 http://www.securityfocus.com/bid/81158 http://www.zerodayinitiative.com/advisories/ZDI-16-042 Common Vulnerability Exposure (CVE) ID: CVE-2016-0489 BugTraq ID: 81184 http://www.securityfocus.com/bid/81184 http://www.zerodayinitiative.com/advisories/ZDI-16-038 Common Vulnerability Exposure (CVE) ID: CVE-2016-0488 BugTraq ID: 81104 http://www.securityfocus.com/bid/81104 http://www.zerodayinitiative.com/advisories/ZDI-16-035 Common Vulnerability Exposure (CVE) ID: CVE-2016-0487 BugTraq ID: 81124 http://www.securityfocus.com/bid/81124 http://www.zerodayinitiative.com/advisories/ZDI-16-033 Common Vulnerability Exposure (CVE) ID: CVE-2016-0490 BugTraq ID: 81173 http://www.securityfocus.com/bid/81173 http://www.zerodayinitiative.com/advisories/ZDI-16-039 Common Vulnerability Exposure (CVE) ID: CVE-2016-0476 BugTraq ID: 81199 http://www.securityfocus.com/bid/81199 http://www.zerodayinitiative.com/advisories/ZDI-16-045 Common Vulnerability Exposure (CVE) ID: CVE-2016-0477 BugTraq ID: 81153 http://www.securityfocus.com/bid/81153 http://www.zerodayinitiative.com/advisories/ZDI-16-041 Common Vulnerability Exposure (CVE) ID: CVE-2016-0478 BugTraq ID: 81163 http://www.securityfocus.com/bid/81163 http://www.zerodayinitiative.com/advisories/ZDI-16-036 Common Vulnerability Exposure (CVE) ID: CVE-2016-0480 BugTraq ID: 81070 http://www.securityfocus.com/bid/81070 http://www.zerodayinitiative.com/advisories/ZDI-16-043 Common Vulnerability Exposure (CVE) ID: CVE-2016-0481 BugTraq ID: 81097 http://www.securityfocus.com/bid/81097 http://www.zerodayinitiative.com/advisories/ZDI-16-044 Common Vulnerability Exposure (CVE) ID: CVE-2016-0482 BugTraq ID: 81100 http://www.securityfocus.com/bid/81100 http://www.zerodayinitiative.com/advisories/ZDI-16-037 Common Vulnerability Exposure (CVE) ID: CVE-2016-0484 BugTraq ID: 81102 http://www.securityfocus.com/bid/81102 http://www.zerodayinitiative.com/advisories/ZDI-16-034 Common Vulnerability Exposure (CVE) ID: CVE-2016-0485 BugTraq ID: 81105 http://www.securityfocus.com/bid/81105 http://www.zerodayinitiative.com/advisories/ZDI-16-046 Common Vulnerability Exposure (CVE) ID: CVE-2016-0486 BugTraq ID: 81107 http://www.securityfocus.com/bid/81107 http://www.zerodayinitiative.com/advisories/ZDI-16-040
Copyright	Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.