JVNDB-2013-003391

[Japanese]
JVNDB-2013-003391
Oracle Enterprise Manager vulnerable to cross-site scripting
Overview
Oracle Enterprise Manager provided by Oracle contains a cross-site scripting vulnerability. Masashi Shiraishi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
Affected Products

Oracle Corporation Oracle Database 11g Release 1,version 11.1.0.7 Oracle Enterprise Manager Base Platform 10.2.0.5 Oracle Enterprise Manager Base Platform 10g Release 1,version 10.2.0.5 Oracle Enterprise Manager Database Control 11.1.0.7

Impact
An arbitrary script may be executed on the user's web browser.
Solution
[Apply an Update] Update to the latest version according to the information provided by the developer.
Vendor Information
Oracle Corporation Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2013 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices SECURITY BLOG : July 2013 Critical Patch Update Released
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)
CVE-2013-3791
References
JVN : JVN#26103805 National Vulnerability Database (NVD) : CVE-2013-3791
Revision History
[2013/07/22] Web page was published


Date Public	2013/07/16
Date First Published	2013/07/22
Date Last Updated	2013/07/22

Oracle Enterprise Manager vulnerable to cross-site scripting