A cross-site scripting (XSS) attack causes arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets the users and it uses your application as a vehicle for the attack.
*Affected Products: Oracle Help Technologies-UIX, Oracle Application Development Framework (ADF), Oracle’s Browser Look and Feel Plus (BLAF+), Oracle fusion middleware.
The following vulnerability was tested on Oracle Web content Management version 12.2.1.3.0.
Figure01: Help docs page in the Oracle Web content.
Figure 02: Navigate to any of the help topics shown above.
Figure 03: Inserting a simple payload & reflects in the response body without sanitization.
Figure 04: While triggering the print page event, the payload gets stored and assigned with the path URL. Whenever the user clicks the print page, the payload will be executed in the user browser.
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Help Technologies accessible data as well as unauthorized update, insert or delete access to some of Oracle Help Technologies accessible data.
Download and apply the relevant patches from the vendor:
Jan 11, 2020: Reported to Vendor
Jan 12, 2020: Vendor Responded
Jun 19, 2020: CVE Assigned
Jul 14, 2020:Vendor Released Fixed
