[ERPSCAN-09-010] Oracle Database 10G CTXSYS.DRVXTABX — PLSQL Injection

DSECRG Advisories

Application: Oracle Database 10G
Versions Affected: Oracle,,,
Vendor URL: http://oracle.com
Bugs: PL/SQL Injections
Exploits: YES
Reported: 29.01.2008
Vendor response: 31.01.2008
CVE: CVE-2009-1991
SVSS2: 3.6
Date of Public Advisory: 26.10.2009
Solution: YES (Non official)
Author: Alexandr Polyakov

Oracle Database 10G and 9g are vulnerable to PL/SQL Injection. PL/SQL Injection found in the following procedure ctxsys.drvxtabc.create_tables

Business Risk
Legal database user can escalate privileges and gain unauthorized access to business-critical data.