Oracle WebCenter Content idc/idcplg Multiple Parameter XSS

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a script that is prone to a reflected
cross-site scripting attack.

Description :

Oracle WebCenter Content script '/idc/idcplg' contains several
parameters that are incorrectly filtered, including 'sltPageTitle' and
'redirectPageTitle'. This makes the WebCenter Content install
susceptible to a reflected cross-site scripting attack.

By tricking someone into clicking on a specially crafted link, an
attacker may be able exploit this to inject arbitrary HTML and script
code in a user's browser to be executed within the security context of
the affected site.

See also :

http://www.nessus.org/u?9f19d081
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

Solution :

See the Oracle advisory for information on obtaining and applying bug
fix patches.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: CGI abuses : XSS

Nessus Plugin ID: 57981 ()

Bugtraq ID: 51454

CVE ID: CVE-2012-0084