Securin Zero-Days

CVE-2020-14723 – Stored Cross-Site Scripting in Oracle

Severity:High

Vendor

Oracle

Affected Product

See Full List Below*

CVE

CVE-2020-14723

Securin ID

2020-CSW-01-1037

Status

Fixed

Date

January 11, 2020

Description

A cross-site scripting (XSS) attack causes arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets the users and it uses your application as a vehicle for the attack.

*Affected Products: Oracle Help Technologies-UIX, Oracle Application Development Framework (ADF), Oracle’s Browser Look and Feel Plus (BLAF+), Oracle fusion middleware.

Proof of Concept (POC):

The following vulnerability was tested on Oracle Web content Management version 12.2.1.3.0.

Figure01: Help docs page in the Oracle Web content.

Figure 02: Navigate to any of the help topics shown above.

Figure 03: Inserting a simple payload & reflects in the response body without sanitization.

Figure 04: While triggering the print page event, the payload gets stored and assigned with the path URL. Whenever the user clicks the print page, the payload will be executed in the user browser.

Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Help Technologies accessible data as well as unauthorized update, insert or delete access to some of Oracle Help Technologies accessible data.

Remediations

Download and apply the relevant patches from the vendor:

https://www.oracle.com/security-alerts/cpujul2020.html

Timeline

Jan 11, 2020: Reported to Vendor

Jan 12, 2020: Vendor Responded

Jun 19, 2020: CVE Assigned

Jul 14, 2020:Vendor Released Fixed

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS