Medium severity5.4NVD Advisory· Published Sep 18, 2018· Updated Jun 17, 2026
CVE-2018-16958
CVE-2018-16958
Description
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is exposed to session hijacking attacks should an adversary be able to execute JavaScript in the origin of the portal installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
Affected products
1- Range: = 10.3.3
Patches
Vulnerability mechanics
References
2- www.securityfocus.com/bid/105350nvdThird Party AdvisoryVDB Entry
- seclists.org/fulldisclosure/2018/Sep/22nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.