German security research Alexander Kornbrust of Red-Database-Security has issued six security advisories affecting Oracle Forms and Oracle Reports.
On the highly critical side, the vulnerabilities could allow a system to be compromised, provide for privilege escalation attacks or allow an attacker to overwrite arbitrary files. At the low end, the flaws could be used for cross site scripting attacks or information disclosure.
Kornbrust claims that he informed Oracle of the flaws as early as 2003. The security researcher alleges in his advisory timeline that Oracle was again notified in April and that if that flaws were not fixed in Oracle's July Critical Patch update, the flaws would go public.
Oracle has not yet publicly addressed or confirmed Kornbrust's claims on its security Web site.
An Oracle spokesperson told internetnews.com that security is a matter Oracle takes seriously and Oracle's first priority is meeting customer needs and reducing their risk.
"When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems," the spokesperson said. "Oracle's policy is to fix security vulnerabilities in severity order - higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities."
Oracle encourages customers and researchers to contact them as soon as they discover security vulnerabilities, the spokesperson explained.