HTTP: Oracle BEA Weblogic Server console-help.portal Cross-Site Scripting
There exists a cross-site scripting vulnerability in BEA Weblogic Server. The vulnerability is due to an input validation error in certain console-help.portal pages that allow attackers to inject arbitrary HTML and JavaScript code that would be executed in a user's web browser. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary HTML or script code on the client system. Successful exploitation would result in compromise of target user's cookies (including authentication cookies) associated with the site, and modification of user information.
Extended Description
Oracle WebLogic Server is prone to a cross-site scripting vulnerability. An attacker with 'WLS Console Package' privileges can exploit this issue. The attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This vulnerability affects Oracle WebLogic Server 10.3.
Affected Products
Oracle weblogic_server
Short Name
HTTP:WEBLOGIC:CONSOLE-HELP-PORT
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
BEA CVE-2009-1975 Cross-Site Oracle Scripting Server Weblogic bid:35673 console-help.portal
Release Date
12/21/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3475
False Positive
Unknown
Vendors
Oracle
CVSS Score
6.8