JVNDB-2009-000007

Oracle WebLogic Server vulnerable to cross-site scripting

Oracle WebLogic Server (formerly BEA WebLogic Server) contains a cross-site scripting vulnerability.

Oracle WebLogic Server is an application server based on Java Platform Enterprise Edition 5 (JavaEE5). Oracle WebLogic Server contains a cross-site scripting vulnerability.

Daiki Fukumori of Secure Sky Technology, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.

Base Metrics: 2.6 (Low) [IPA Score]

• Access Vector: Network
• Access Complexity: High
• Authentication: None
• Confidentiality Impact: None
• Integrity Impact: Partial
• Availability Impact: None

Oracle Corporation

• Oracle WebLogic Server 10.3
• Oracle WebLogic Server 10.0 MP1
• Oracle WebLogic Server 9.2 MP3
• Oracle WebLogic Server 9.1
• Oracle WebLogic Server 9.0
• Oracle WebLogic Server 8.1 SP6
• Oracle WebLogic Server 7.0 SP7

An arbitrary script may be executed on the user's web browser.

[Update the Software]
Apply the latest updates provided by the vendor.
For more information, refer to the vendor's web site.

Oracle Corporation

• Critical Patch Updates and Security Alerts : Critical Patch Updates and Security Alerts
• Critical Patch Updates and Security Alerts : cpujan2009
• Security Advisories and Notifications : 2811

1. JVN : JVN#93431860
2. US-CERT Technical Cyber Security Alert : TA09-015A
3. National Vulnerability Database (NVD) : CVE-2008-5461
4. Common Vulnerabilities and Exposures (CVE) : CVE-2008-5461
5. Secunia Advisory : SA33526
6. SecurityFocus : 33177
7. VUPEN Security : VUPEN/ADV-2009-0115
8. Common Weakness Enumeration (CWE) : Cross-site scripting (CWE-79) [IPA Evaluation]
9. JVN iPedia (Japanese) : JVNDB-2009-000007

[2009/01/20]
  Web page published