Oracle 8i through 10g release 2 suffers from a SQL injection vulnerability in SYS.DBMS_UPGRADE_INTERNAL.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/56061/oracle-sqlinj2.txt
Source: https://packetstormsecurity.com/files/56061/oracle-sqlinj2.txt.html