Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

oracle1016-xss.txt

🗓️ 19 Apr 2007 00:00:00Reported by Alexander KornbrustType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Name Cross-Site-Scripting Vulnerability in Oracle SES 10.1.6, affecting Oracle Enterprise Search, with medium risk severity and a recommended upgrade to the latest version or apply CPU April 2007 patch. Details An XSS vulnerability is found in the parameter EXPTYPE in boundary_rules.jsp of Oracle Secure Enterprise Search 10g

Code
`Name Cross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search  
Systems Affected Oracle Secure Enterprise Search 10.1.6- SES  
Severity Medium Risk  
Category Cross Site Scripting (XSS/CSS)  
Vendor URL http://www.oracle.com/  
Author Alexander Kornbrust (ak at red-database-security.com)  
Date 17 April 2007 (V 1.00)  
  
  
Details  
#######  
Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets.  
  
The parameter EXPTYPE in boundary_rules.jsp contains a cross site scripting vulnerability.  
  
This advisory is available at  
<http://www.red-database-security.com/advisory/oracle_css_ses.html>  
  
  
Exploit  
#######  
<http://ses10106:7777/search/admin/sources/boundary_rules.jsp?event=deleteIncludeRule&p_src=web&p_mode=edit&p_id=3&pattern=rds&expType=%3Cscript%3Ealert(document.cookie)%3C/script%3ECC_SIMPLE_INCLUSION'>  
  
  
Affected Products  
#################  
Oracle Enterprise Search  
  
  
Patch Information  
#################  
Please upgrade to the latest version of SES or apply CPU April 2007.  
  
  
  
History  
#######  
05-Apr-2005 Oracle secalert was informed  
06-Apr-2005 Bug confirmed  
17-apr-2007 Oracle published CPU April 2007  
17-apr-2007 Red-Database-Security published this advisory  
  
  
Additional Information  
######################  
An analysis of the Oracle CPU April 2007 is available here   
<http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html>  
  
This document will be updated during the next few days and weeks with the latest information.  
  
  
(c) 2007 by Red-Database-Security GmbH  
--  
http://www.red-database-security.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Apr 2007 00:00Current
7.4High risk
Vulners AI Score7.4
oracle ses 10.1.6cross site scriptingmedium riskupgradecpu april 2007xss vulnerability
20