4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.6%
Application: E-Business Suite Vendor URL:Oracle **Bugs:**Cross-site Scripting **Reported:**17.07.2015 **Vendor response:**24.07.2015 **Date of Public Advisory:**20.10.2015 Reference:Oracle CPU Oct 2015 Authors: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)
VULNERABILITY INFORMATION
Class: Cross-site Scripting
Impact: impersonation, information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4854
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) | Network (N) |
---|---|
AC : Access Complexity (Required attack complexity) | Medium (M) |
Au : Authentication (Level of authentication needed to exploit) | None (N) |
C : Impact to Confidentiality | None (N) |
I : Impact to Integrity | Partial (P) |
A : Impact to Availability | None (N) |
Business Risk
A cross-site scripting vulnerability can lead to injection of malicious scripts into a trusted web site. By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and/or business-related information stored in the vulnerable Oracle system
Description
Oracle E-Business Suite has a linked DOM XSS vulnerability.
VULNERABLE PACKAGES
Oracle E-Business Suite 12.1.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
Install Oracle CPU October 2015
TECHNICAL DESCRIPTION
CfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due to lack of sanitizing the Domain parameter.