[ERPSCAN-15-027] Oracle E-Business Suite – Cross-site Scripting vulnerability

Application: E-Business Suite
Vendor URL: Oracle
Bugs: Cross-site Scripting
Reported: 17.07.2015
Vendor response: 24.07.2015
Date of Public Advisory:20.10.2015
Reference: Oracle CPU Oct 2015
Authors: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)

Class: Cross-site Scripting
Impact: impersonation, information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4854
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Business Risk
A cross-site scripting vulnerability can lead to injection of malicious scripts into a trusted web site. By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and/or business-related information stored in the vulnerable Oracle system

Oracle E-Business Suite has a linked DOM XSS vulnerability.

Oracle E-Business Suite 12.1.4
Other versions are probably affected too, but they were not checked.

Install Oracle CPU October 2015

CfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due to lack of sanitizing the Domain parameter.