header-logo
Suggest Exploit
vendor:
Oracle Business Process Management
by:
Unknown
7.5
CVSS
HIGH
Cross-site scripting
79
CWE
Product Name: Oracle Business Process Management
Affected Version From: 5.7 MP3
Affected Version To: 10.3 MP2
Patch Exists: No
Related CWE: Unknown
CPE: oracle:business_process_management
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Cross-site scripting vulnerability in Oracle Business Process Management

The Oracle Business Process Management is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary script code in the browser of a user visiting the affected site. This can lead to the theft of cookie-based authentication credentials and enable the attacker to launch further attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user-supplied input before using it in web applications. Additionally, implementing a content security policy can help prevent cross-site scripting attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/41617/info

Oracle Business Process Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

This vulnerability affects the following supported versions:
5.7 MP3, 6.0 MP5, 10.3 MP2

http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert(document.cookie)</script>
http://www.example.com:8585/webconsole/faces/faces/faces/jsf/tips.jsp?context=<script>alert('CorelanTeam')</script>