Get help with JNDI vulnerability CVE-2021-42392! Get CSW's Detection Script
Back to all zero days

Stored Cross-Site Scripting in Oracle

Affected Vendor





Jan 11, 2020

High Severity


A cross-site scripting (XSS) attack causes arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets the users and it uses your application as a vehicle for the attack.

Proof of concept: (POC)

The following vulnerability was tested on Oracle Web content Management version

Figure01: Help docs page in the Oracle Web content.

Figure 02: Navigate to any of the help topics shown above. 

Figure 03: Inserting a simple payload & reflects in the response body without sanitization.

Figure 04: While triggering the print page event, the payload gets stored and assigned with the path URL. Whenever the user clicks the print page, the payload will be executed in the user browser.


Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Help Technologies accessible data as well as unauthorized update, insert or delete access to some of Oracle Help Technologies accessible data.


Download and apply the relevant patches from the vendor:


Jan 11, 2020: Reported to Vendor

Jan 12, 2020: Vendor Responded

Jun 19, 2020: CVE Assigned

Jul 14, 2020: Vendor Released Fixed

Discovered by

Cyber Security Research (CSW) Lab.

  • Affected VendorOracle
  • Bug NameStored Cross-Site Scripting
  • CVE NumberCVE-2020-14723
  • CWE IDCWE - 79
  • CSW ID2020-CSW-01-1037
  • CVSSv3 Score8.2
  • Affected Version12.
  • SeverityHigh
  • Affected ProductOracle Help Technologies-UIX, Oracle Application Development Framework (ADF), Oracle's Browser Look and Feel Plus (BLAF+), Oracle fusion middleware.
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.