OSVDB ID: 86391

Title: Oracle BI Publisher Administration Subcomponent /xmlpserver/navigator.jsp newjob Parameter XSS

Info

Disclosure

Oct 16, 2012

Discovery

Unknown

Dates

Exploit

Nov 28, 2012

Solution

Oct 16, 2012

Description

Oracle BI Publisher contains a flaw in the Administration subcomponent that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'newjob' parameter upon submission to the /xmlpserver/navigator.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

Products

Oracle Corporation

BI Publisher

10.1.3.4.2
11.1.1.5.0
11.1.1.6.0
11.1.1.6.2

References

Credit

Unknown or Incomplete



Direct URL: http://osvdb.org/86391