Cross-site scripting vulnerability in Oracle Business Process Management

vendor:

Oracle Business Process Management

by:

Unknown

7.5

CVSS

HIGH

Cross-site scripting

CWE

Product Name: Oracle Business Process Management

Affected Version From: 5.7 MP3

Affected Version To: 10.3 MP2

Patch Exists: No

Related CWE: Unknown

CPE: oracle:business_process_management

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Cross-site scripting vulnerability in Oracle Business Process Management

The Oracle Business Process Management is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary script code in the browser of a user visiting the affected site. This can lead to the theft of cookie-based authentication credentials and enable the attacker to launch further attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user-supplied input before using it in web applications. Additionally, implementing a content security policy can help prevent cross-site scripting attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/41617/info

Oracle Business Process Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

This vulnerability affects the following supported versions:
5.7 MP3, 6.0 MP5, 10.3 MP2

http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert(document.cookie)</script>
http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert('CorelanTeam')</script>