Oracle BI Publisher contains a flaw in the Administration subcomponent that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'newjob' parameter upon submission to the /xmlpserver/navigator.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

• Security Tracker: 1027669
• CVE ID: 2012-3194 (see also: NVD)
• Secunia Advisory ID: 50986 50988
• Related OSVDB ID: 86390 91658
• Other Advisory URL: http://www.baesystemsdetica.com.au/Research/Advisories/Oracle-BI-Publisher-Multiple-Vulnerabilities-%28SS-2
• Vendor Specific Advisory URL: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
  http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html#AppendixFMW

• Andy Yang - BAE Systems Detica
• Andy Yang - BAE Systems Detica