E20-0sqm1
CVSS:
9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
False Positive:
f
Variants:
1
Year:
2019
Description
A SQL injection vulnerability exists in the 'General Ledger' component of Oracle E-Business Suite.
A SQL query may be sent via the 'Thin Client Framework' protocol over HTTP, which is later processed in the 'DataManagerServer.readSynch()' method located in 'oracle/apps/gl/jahe/tcf/server/DataManagerServer.java'. The string is then used as a base string for a database query.
By exploiting this flaw, a remote unauthenticated attacker may execute arbitrary database queries.