Signature Detail

HTTP: Oracle BEA Weblogic Server console-help.portal Cross-Site Scripting

There exists a cross-site scripting vulnerability in BEA Weblogic Server. The vulnerability is due to an input validation error in certain console-help.portal pages that allow attackers to inject arbitrary HTML and JavaScript code that would be executed in a user's web browser. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary HTML or script code on the client system. Successful exploitation would result in compromise of target user's cookies (including authentication cookies) associated with the site, and modification of user information.

Extended Description

Oracle WebLogic Server is prone to a cross-site scripting vulnerability. An attacker with 'WLS Console Package' privileges can exploit this issue. The attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects Oracle WebLogic Server 10.3.

Affected Products

• Oracle Weblogic Server 10.3

References

• BugTraq: 35673
• CVE: CVE-2009-1975