Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2004-2115 — Cross-site Scripting in Oracle Http Server

4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

50.3%

top 2.15%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oracle Http Server

Timeline

PublishedDec 31

Latest updateApr 29

Description

Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1.3.22, based on Apache, allow remote attackers to execute arbitrary script as other users via the (1) action, (2) username, or (3) password parameters in an isqlplus request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDoracle/http_server8.1.7, 9.0.1, 9.2.0+2

🔴Vulnerability Details

GHSA

GHSA-cxhg-jcjg-97wr: Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1↗2022-04-29

▶

CVEList

CVE-2004-2115: Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1↗2005-05-27

▶

💥Exploits & PoCs

Exploit-DB

Oracle HTTP Server 8.1.7/9.0.1/9.2 - isqlplus Cross-Site Scripting↗2004-01-24

▶