The sendmail.jsp sample page in Oracle 9i Application Server (9iAS) allows remote attackers to send arbitrary emails.
https://exchange.xforce.ibmcloud.com/vulnerabilities/8664
http://www.securityfocus.com/bid/6556
http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf