Oracle Database Server and Oracle Enterprise Manager Grid Control contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /em/console/ecm/search/searchPage script not properly sanitizing user-supplied input to the 'SCPLBL_INSTALLED_DATE0DI' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• Security Tracker: 1026929
• CVE ID: 2012-0525 (see also: NVD)
• Secunia Advisory ID: 48855 48870 50404
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00018.html
• Packet Storm: http://packetstormsecurity.org/files/112005/Oracle-Enterprise-Manager-searchPage-SQL-Injection.html
• Mail List Post: http://seclists.org/bugtraq/2012/Apr/152
• Vendor Specific Advisory URL: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
• Other Advisory URL: https://www.teamshatter.com/?p=3418

• Esteban Martínez Fayó - Application Security Inc.