Oracle JD Edwards EnterpriseOne Tools contains a flaw related to the Web Runtime SEC component that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'e1.namespace' parameter upon submission to the /jde/E1Menu_OCL.mafService script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• CVE ID: 2011-0836 (see also: NVD)
• Secunia Advisory ID: 44279
• Related OSVDB ID: 71913 71914 71916 71917 71918
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/current/0322.html
  http://seclists.org/fulldisclosure/2011/Apr/328
• News Article: http://www.computerworld.com/s/article/9215838/Oracle_to_fix_73_security_bugs_next_week
• Vendor Specific Solution URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html#AppendixJDE

• Juan Manuel Garcia - CYBSEC S.A. Security Systems