PT-2013-06: Current User Context Access in Oracle Siebel CRM Vulnerable softwareOracle Siebel CRM Version: 8.1.1, 8.2.2Link: http://www.oracle.com/us/products/applications/siebel/overview/index.htmlSeverity levelSeverity level: Medium Impact: Current User Context Access Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)CVE: CVE-2013-5867Software descriptionOracle Siebel CRM is a customer relationship management application used to develop a complex corporate information system. Vulnerability descriptionThe specialists of the Positive Research center have detected a Current User Context Access vulnerability in Oracle Siebel CRM.An attacker is able to access the system and operate in the name of aby user. The attacker can get context bruteforcing certain cookie values. All systems with hard-coded initial value of the used encryption algorithm are vulnerable. How to fixUpdate your software up to the latest versionAdvisory status05.02.2013 - Vendor gets vulnerability details 15.10.2013 - Vendor releases fixed version and details 25.10.2013 - Public disclosureCreditsThe vulnerability was detected by Alexander Tlyapov, Dmitry Sklyarov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-06 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/