PT-2013-11: XML External Entities Injection in Oracle Siebel CRM
Oracle Siebel CRM
Version: 8.1.1, 8.2.2
Severity level: Medium
Impact: File System Access
Access Vector: Remote
Base Score: 5.0
Oracle Siebel CRM is a customer relationship management application used to develop a complex corporate information system.
The specialists of the Positive Research center have detected an XML External Entities Injection vulnerability in Oracle Siebel CRM.
The vulnerability is possible during import of XML files in CRM Siebel. An attacker is able to read an arbitrary file on the target system.
How to fix
Update your software up to the latest version
05.02.2013 - Vendor gets vulnerability details
15.10.2013 - Vendor releases fixed version and details
25.10.2013 - Public disclosure
The vulnerability was detected by Nikita Mikhalevsky, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: