Oracle 10g Release 1 is susceptible to SQL injection flaws due to the SYS.DBMS_UPGRADE package.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/48403/oracle-SYS.DBMS_UPGRADE.txt
Source: https://packetstormsecurity.com/files/48403/oracle-SYS.DBMS_UPGRADE.txt.html