This host is running Oracle OpenSSO and is prone to multiple cross-site scripting vulnerabilities.

Successful exploitation will allow attackers to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Impact Level: Application

No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://www.oracle.com/index.html

Multiple flaws are due to an, - Improper validation of 'dob_Day', 'dog_Month', 'dog_Year', 'givenname', 'name', and 'sn' parameters upon submission to the cmp_generate_tmp_pw.tiles script. - Improper validation of 'dob_day', 'dob_Month', 'dob_Year', 'givenname', 'mail', 'sn', 'x', and 'y' parameters upon submission to UI/Login in the ResetPassword module.

Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1

Get the installed version of Oracle OpenSSO with the help of detect NVT and check the version is vulnerable or not.

• http://cxsecurity.com/issue/WLB-2012110221
• http://osvdb.org/88052
• http://osvdb.org/88053
• http://www.exploit-db.com/exploits/23004
• http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php
• http://xforce.iss.net/xforce/xfdb/80368

---

Updated on 2015-03-25