Intrusion Prevention

Oracle.Reports.Web.Cartridge.RWCGI60.XSS

Description

This indicates a possible exploit of a cross-site scripting (XSS) vulnerability in Oracle.
This issue is due to an input validation error in Oracle Reports Web Cartridge (RWCGI60) when processing the "genuser" parameter script.

Affected Products

Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 1 version 10.1.0.3
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle Identity Management 10g version 10.1.4.0.1
Oracle Application Server 10g Release 3 version 10.1.3.0.0
Oracle Application Server 10g Release 3 version 10.1.3.1.0
Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2
Oracle Application Server 10g Release 2 version 10.1.2.1.0
Oracle Application Server 10g Release 2 version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.2
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle Enterprise Manager 10g Grid Control Release 2 version 10.2.0.1
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.4
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.5
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.3
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle Developer Suite, version 9.0.4.3
Oracle Developer Suite, version 10.1.2.0.2
Oracle Developer Suite, version 6i
Oracle8i Database Release 3 version 8.1.7.4
Oracle9i Database Release 2 version 9.2.0.7
Oracle9i Database Release 2 version 9.2.0.8
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle9i Database Release 1 version 9.0.1.4
Oracle9i Application Server Release 2 version 9.0.2.3
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle9i Database Release 2 version 9.2.0.5
Oracle9i Database Release 2 version 9.2.0.6

Impact

The execution of arbitrary HTML or web scripts on the system.

Recommended Actions

Apply Oracle Critical Patch Update (January 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

CVE References

CVE-2007-0275