PT-2013-11: XML External Entities Injection in Oracle Siebel CRM Vulnerable softwareOracle Siebel CRM Version: 8.1.1, 8.2.2Link: http://www.oracle.com/us/products/applications/siebel/overview/index.htmlSeverity levelSeverity level: Medium Impact: File System Access Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVE: CVE-2013-3841Software descriptionOracle Siebel CRM is a customer relationship management application used to develop a complex corporate information system. Vulnerability descriptionThe specialists of the Positive Research center have detected an XML External Entities Injection vulnerability in Oracle Siebel CRM.The vulnerability is possible during import of XML files in CRM Siebel. An attacker is able to read an arbitrary file on the target system.How to fixUpdate your software up to the latest versionAdvisory status05.02.2013 - Vendor gets vulnerability details 15.10.2013 - Vendor releases fixed version and details 25.10.2013 - Public disclosureCreditsThe vulnerability was detected by Nikita Mikhalevsky, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-11 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/