Bugtraq mailing list archives
Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability
From: lament () ilhack org
Date: 28 Feb 2010 19:27:12 -0000
======================================================= Yaniv Miron aka "Lament" Advisory Feb 27, 2010 Oracle Siebel 7.x CRM (7.7, 7.8 tested) Cross Site Scripting Vulnerability ======================================================= ===================== I. BACKGROUND ===================== Siebel Customer Relationship Management (CRM) Applications The world's most complete customer relationship management (CRM) solution, Oracle's Siebel CRM helps organizations differentiate their businesses to achieve maximum top-and bottom-line growth. It delivers a combination of transactional, analytical, and engagement features to manage all customer-facing operations. With solutions tailored to more than 20 industries, Siebel CRM delivers: Comprehensive on premise and on demand CRM solutions. Tailored industry solutions. Role-based customer intelligence and pre-built integration. http://www.oracle.com/us/products/applications/siebel/index.htm ===================== II. DESCRIPTION ===================== A malicious attacker may inject scripts into the Oracle Siebel CRM application. ===================== III. ANALYSIS ===================== Exploitation of this vulnerability results in the execution of arbitrary code using a malicious link. ===================== IV. EXPLOIT ===================== http://example.com/htim_enu/start.swe/?>'"><script>alert('XSS by Lament')</script> ===================== V. DISCLOSURE TIMELINE ===================== Jan 2009 Vulnerability found Jan 2009 Vendor Notification Feb 2010 Public Disclosure ===================== VI. CRETID ===================== Yaniv Miron aka "Lament". lament () ilhack org
Current thread:
- Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability lament (Mar 01)