lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jul 2011 22:54:43 -0400 From: Aditya K Sood <0kn0ck@...niche.org> To: bugtraq@...urityfocus.com Subject: CVE-2010-2404 | Persistent Cross Site Scripting Vulnerability in Oracle I-Recruitment - E-Business Suite Advisory: Persistent Cross Site Scripting Vulnerability in Oracle I-Recruitment File Uploading Module- E-Business Suite CVE-2010-2404 Version Affected - 11.5.10.2, 12.0.6, 12.1.3 About: Oracle I-Recruitment Suite Oracle iRecruitment is a web based full-cycle recruiting solution that gives managers, recruiters and candidates the ability to manage every phase of finding, recruiting, hiring, and tracking new employees. It is a part of Oracle E-business suite. Discussion: A persistent cross site scripting vulnerability exists in the I-Recruitment portal. The account information page allows the user to upload his resume in Microsoft Word document. An attacker can construct a malicious MSWord file to conduct XSS attack by setting XSS payload in hyperlinks in order to bypass conversion filters. For attack details , Refer to the following paper: http://secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf Disclosure: The vulnerability was disclosed to Oracle in January 2009 and is patched in October 2010 CPU release. Credit: Aditya K Sood of SecNiche Security Contact: adi_ks [at] secniche.org Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything.
Powered by blists - more mailing lists