[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for services - already done? CVE-2017-10128



It reads to me like there is an app that resides on systems in the hotel offices, and that’s where the vulnerability is, so an action by the local admin is needed to address.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Wednesday, October 18, 2017 9:47:45 PM
To: cve-editorial-board-list; Andy Balinsky (balinsky)
Subject: CVE for services - already done? CVE-2017-10128

Vulnerability in the Hospitality WebSuite8 Cloud Service component of Oracle Hospitality Applications (subcomponent: General). Supported versions that are affected are 8.9.6 and 8.10.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hospitality WebSuite8 Cloud Service. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Hospitality WebSuite8 Cloud Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hospitality WebSuite8 Cloud Service accessible data as well as unauthorized read access to a subset of Hospitality WebSuite8 Cloud Service accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

https://www.oracle.com/industries/hospitality/products/websuite8.html

Oracle Hospitality WebSuite8 is cloud-based hotel software designed for small hotels and guest and boarding houses. The solution enables efficient guest and room management while increasing online revenue through an integrated booking engine and channel manager solution. This product is available in the EMEA and JAPAC regions only.

So I guess we're doing cloud services now =) or should this be rejected, or?

--
Kurt Seifried
kurt@seifried.org

Page Last Updated or Reviewed: October 19, 2017