[Japanese]

JVNDB-2012-000007

Oracle WebLogic Server vulnerable to cross-site scripting

Overview

Oracle WebLogic Server contains a cross-site scripting vulnerability.

Oracle WebLogic Server contains a cross-site scripting vulnerability on the management console.

Minetoshi Takizawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Oracle Corporation
  • Oracle WebLogic Server 9.2.4, 10.0.2, 10.3.3, 10.3.4, 10.3.5

For more information, refer to the information provided by the developer.
Impact

An arbitrary script may be executed on the browser of the user who is logged into the administration console of Oracle WebLogic Server.
Solution

[Update the Software]
Apply the latest update according to the information provided by the developer.
Vendor Information

Oracle Corporation
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0077
References

  1. JVN : JVN#54779201
  2. National Vulnerability Database (NVD) : CVE-2012-0077
Revision History

[2012/01/20]
  Web page was published.