7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:C/A:N
0.002 Low
EPSS
Percentile
51.8%
Application: Oracle E-Business Suite **Versions Affected:**Oracle E-Business Suite 12.2.3 Vendor:Oracle **Bugs:**XSS **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Ivan Chalykin (ERPScan)
Class: XSS
Impact: modify displayed content from a Web site, steal authentication information of a user
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3557
CVSS Base Score v3: 7.1 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | Required ® |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | High (H) |
A: Impact to Availability | None (N) |
An attacker can use a special HTTP request to hijack session data of administrators or users of the web application.
Oracle E-Business Suite 12.2.3
To correct this vulnerability, implement Oracle CPU April 2017
The “Oracle Fulfillment Management: Print Servers” component is vulnerable to a Stored XSS attack due to the lack of sanitizing of “Print Server Name” and “Connection String” parameters.
Vulnerable URL:
http://victim_ebs_server/OA_HTML/jtffmprintserver.jsp
To reproduce the attack, you need to create a print server with XSS vector in the vulnerable parameters. This JSP is available for all E-Business Suite users.
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
COMPLETE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:C/A:N
0.002 Low
EPSS
Percentile
51.8%