Oracle E-Business Suite - Cross-site Scripting vulnerability

2015-07-1700:00:00

Nikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)

erpscan.io

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

64.6%

JSON

Application: E-Business Suite Vendor URL:Oracle **Bugs:**Cross-site Scripting **Reported:**17.07.2015 **Vendor response:**24.07.2015 **Date of Public Advisory:**20.10.2015 Reference:Oracle CPU Oct 2015 Authors: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)

VULNERABILITY INFORMATION
Class: Cross-site Scripting
Impact: impersonation, information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4854
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range)	Network (N)
AC : Access Complexity (Required attack complexity)	Medium (M)
Au : Authentication (Level of authentication needed to exploit)	None (N)
C : Impact to Confidentiality	None (N)
I : Impact to Integrity	Partial (P)
A : Impact to Availability	None (N)

Business Risk
A cross-site scripting vulnerability can lead to injection of malicious scripts into a trusted web site. By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and/or business-related information stored in the vulnerable Oracle system

Description
Oracle E-Business Suite has a linked DOM XSS vulnerability.

VULNERABLE PACKAGES
Oracle E-Business Suite 12.1.4
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
Install Oracle CPU October 2015

TECHNICAL DESCRIPTION
CfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due to lack of sanitizing the Domain parameter.