BugTraq
Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability Feb 28 2010 07:27PM
lament ilhack org
=======================================================

Yaniv Miron aka "Lament" Advisory Feb 27, 2010

Oracle Siebel 7.x CRM (7.7, 7.8 tested) Cross Site Scripting Vulnerability

=======================================================

=====================

I. BACKGROUND

=====================

Siebel Customer Relationship Management (CRM) Applications

The world's most complete customer relationship management (CRM) solution,

Oracle's Siebel CRM helps organizations differentiate their businesses to

achieve maximum top-and bottom-line growth. It delivers a combination of

transactional, analytical, and engagement features to manage all

customer-facing operations. With solutions tailored to more than 20 industries,

Siebel CRM delivers:

Comprehensive on premise and on demand CRM solutions.

Tailored industry solutions.

Role-based customer intelligence and pre-built integration.

http://www.oracle.com/us/products/applications/siebel/index.htm

=====================

II. DESCRIPTION

=====================

A malicious attacker may inject scripts into the Oracle Siebel CRM application.

=====================

III. ANALYSIS

=====================

Exploitation of this vulnerability results in the execution of arbitrary

code using a malicious link.

=====================

IV. EXPLOIT

=====================

http://example.com/htim_enu/start.swe/?>'"><script>alert('XSS by Lament')</script>

=====================

V. DISCLOSURE TIMELINE

=====================

Jan 2009 Vulnerability found

Jan 2009 Vendor Notification

Feb 2010 Public Disclosure

=====================

VI. CRETID

=====================

Yaniv Miron aka "Lament".

lament (at) ilhack (dot) org [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus