Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-0275 — Cross-site Scripting in Oracle Application Server

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

3.5LOWNVD

EPSS

0.8%

top 26.24%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oracle Application Server Oracle Collaboration Suite Oracle Database Server +1 more

Timeline

PublishedJan 17

Latest updateMay 1

Description

Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages4 packages

▶NVDoracle/e-business_suite11.5.10.2

▶NVDoracle/application_server10.1.2.0.2, 10.1.2.2, 9.0.4.3+2

▶NVDoracle/collaboration_suite10.1.2

▶NVDoracle/database_server10.1.0.5, 10.2.0.3, 9.2.0.8+2

Patches

Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-mc87-5mpw-4292: Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9↗2022-05-01

▶

CVEList

CVE-2007-0275: Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9↗2007-01-17

▶

💥Exploits & PoCs

Exploit-DB

Oracle HTTP Server - Cross-Site Scripting Header Injection↗2011-06-13

▶