CVE-2021-2023 — Cross-site Scripting in Oracle Installed Base

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)38 documents14 sources

Severity

4.7MEDIUMNVD

EPSS

0.7%

top 28.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Installed Base Oracle Corporation Installed Base

Timeline

PublishedJan 20

Latest updateSep 26

Description

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products. Succ…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDoracle/installed_base12.1.1 — 12.1.3+1

▶CVEListV5oracle_corporation/installed_base12.1.1-12.1.3, 12.2.3-12.2.9+1

🔴Vulnerability Details

OSV

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities↗2024-09-26

▶

OSV

linux-raspi-5.4 vulnerabilities↗2024-09-02

▶

OSV

giflib vulnerabilities↗2024-06-10

▶

GHSA

plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images↗2023-09-21

▶

GHSA

GHSA-pv77-wcvm-2654: Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: APIs)↗2022-05-24

▶

💥Exploits & PoCs

Nuclei

Adobe ColdFusion - Access Control Bypass

▶

Nuclei

Adobe Coldfusion - Cross-Site Scripting

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Policy (GNU Libtasn1) — CVE-2021-46848↗2023-04-15

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: Deployment SEC (Apache Ant) — CVE-2021-36373↗2023-04-15

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache Santuario XML Security For Java) — CVE-2021-40690↗2023-04-15

▶

Oracle

Oracle Oracle E-Business Suite Risk Matrix: APIs — CVE-2021-2023↗2021-01-15

▶

🕵️Threat Intelligence

Bleepingcomputer

Hackers breach US govt agencies using Adobe ColdFusion exploit↗2023-12-05

▶

Threat Intel

DarkPink

▶