usd-2019-0014 | Oracle Transportation Management (OTM)/6.4.3
Advisory ID: usd-2019-0014
CVE Number: CVE-2019-2709
Affected Product: Oracle Transportation Management
Affected Version: 6.4.3
Vulnerability Type: Reflected Cross-Site Scripting
Security Risk: High
Vendor URL: https://www.oracle.com
Vendor Status: Fixed
Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Proof of Concept (PoC)
The vulnerability present is a reflected cross site scripting attack. The vulnerable parameter is „query_type“.
The request is send if the user:
1.) Logs in as an administrator
2.) Selects the menu „Restricted Party Screening“
3.) Selects the sub menu „Restricted Party Screening“.
4.) Clicks the button „Match“ to start a search. The search parameters may be empty.
5.) Inside the displayed table clicks on a column to sort the corresponding results.
Since the parameter is URL-encoded, the attacker also has to encode his payload. Due to incorrect filtering „> enables the attacker to break out of the context and insert custom HTML code.
The complete Payload would look like this: urlencode(„><svg onload=alert(1);>) .
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept-Encoding: gzip, deflate
Make sure to encode the user supplied input.
- 2019-03-26 First contact request via firstname.lastname@example.org
- 2019-03-27 Oracle Security Team opened a ticket for the issue
- 2019-04-13 Status update: Issue is fixed in CPUApr2019
- 2019-07-31 Security advisory released
This security vulnerability was found by Luca Rupp of usd AG.