TUCoPS :: Oracle :: bu-1894.htm

TUCoPS :: Oracle :: bu-1894.htm
Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability

Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability Oracle Siebel 7.x CRM Cross Site Scripting Vulnerability


========================================================0D
Yaniv Miron aka "Lament" Advisory Feb 27, 2010=0D
Oracle Siebel 7.x CRM (7.7, 7.8 tested) Cross Site Scripting Vulnerability=0D
========================================================0D
=0D
======================0D
I. BACKGROUND=0D
======================0D
Siebel Customer Relationship Management (CRM) Applications=0D
=0D
The world's most complete customer relationship management (CRM) solution,=0D
Oracle's Siebel CRM helps organizations differentiate their businesses to=0D
achieve maximum top-and bottom-line growth. It delivers a combination of=0D
transactional, analytical, and engagement features to manage all=0D
customer-facing operations. With solutions tailored to more than 20 industries,=0D
Siebel CRM delivers:=0D
Comprehensive on premise and on demand CRM solutions.=0D
Tailored industry solutions.=0D
Role-based customer intelligence and pre-built integration.=0D
=0D
http://www.oracle.com/us/products/applications/siebel/index.htm=0D 
=0D
======================0D
II. DESCRIPTION=0D
======================0D
=0D
A malicious attacker may inject scripts into the Oracle Siebel CRM application.=0D
=0D
======================0D
III. ANALYSIS=0D
======================0D
=0D
Exploitation of this vulnerability results in the execution of arbitrary=0D
code using a malicious link.=0D
=0D
======================0D
IV. EXPLOIT=0D
======================0D
=0D
=0D 
=0D
======================0D
V. DISCLOSURE TIMELINE=0D
======================0D
=0D
Jan 2009 Vulnerability found=0D
Jan 2009 Vendor Notification=0D
Feb 2010 Public Disclosure=0D
=0D
======================0D
VI. CRETID=0D
======================0D
=0D
Yaniv Miron aka "Lament".=0D
lament@ilhack.org