Oracle Application Express NOTIFICATION_MSG cross-site scripting

oracle-notification-msg-xss (30107) The risk level is classified as MediumMedium Risk

Description:

Oracle Application Express (APEX) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the NOTIFICATION_MSG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

  • Oracle, APEX 1.5
  • Oracle, APEX 2.0

Remedy:

Refer to Oracle Critical Patch Update - October 2006 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

  • Full-Disclosure Mailing List, Mon Oct 23 2006 - 11:43:54 CDT, Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG at http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0480.html.
  • Oracle Critical Patch Update - October 2006, Oracle Critical Patch Update - October 2006 at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html.
  • Red-Database-Security Web site, Details Oracle Critical Patch Update October 2006 - V1.02 at http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html.
  • BID-20588: Oracle October 2006 Security Update Multiple Vulnerabilities
  • CVE-2006-5351: Multiple unspecified vulnerabilities in Oracle Application Express (formerly Oracle HTML DB) 1.5 up to 2.0 have unknown impact and remote attack vectors, aka Vuln# (1) APEX01, (2) APEX02, (3) APEX03, (4) APEX05, (5) APEX06, (6) APEX07, (7) APEX08, (8) APEX09, (9) APEX10, (10) APEX11, (11) APEX12, (12) APEX13, (13) APEX14, (14) APEX15, (15) APEX16, (16) APEX17, (17) APEX18, (18) APEX19, (19) APEX22, (20) APEX23, (21) APEX24, (22) APEX25, (23) APEX26, (24) APEX27, (25) APEX28, (26) APEX29, (27) APEX30, (28) APEX31, (29) APEX32, (30) APEX33, (31) APEX34, and (32) APEX35. NOTE: as of 20061027, it is likely that some of these identifiers are associated with cross-site scripting (XSS) in WWV_FLOW_ITEM_HELP and NOTIFICATION_MSG, but these have been provided separate identifiers.
  • CVE-2006-7158: Cross-site scripting (XSS) vulnerability in Oracle Application Express (APEX) before 2.2.1, aka Oracle HTML DB, allows remote attackers to inject arbitrary web script or HTML via the NOTIFICATION_MSG parameter. NOTE: it is likely that this issue overlaps one of the identifiers in CVE-2006-5351.
  • SA22396: Oracle Products Multiple Vulnerabilities
  • SECTRACK ID: 1017077: Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact
  • VUPEN/ADV-2006-4065: Oracle Products Multiple Remote SQL Injection and Security Bypass Vulnerabilities

Reported:

Oct 17, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page