Summary
This host is running Oracle OpenSSO and is prone to multiple cross-site scripting vulnerabilities.
Impact
Successful exploitation will allow attackers to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Impact Level: Application
Solution
No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available.
For updates refer to http://www.oracle.com/index.html
Insight
Multiple flaws are due to an,
- Improper validation of 'dob_Day', 'dog_Month', 'dog_Year', 'givenname', 'name', and 'sn' parameters upon submission to the cmp_generate_tmp_pw.tiles script.
- Improper validation of 'dob_day', 'dob_Month', 'dob_Year', 'givenname', 'mail', 'sn', 'x', and 'y' parameters upon submission to UI/Login in the ResetPassword module.
Affected
Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1
Detection
Get the installed version of Oracle OpenSSO with the help of detect NVT and check the version is vulnerable or not.
References