Cross-Site Scripting (XSS) Issues in OAAM: How to fix them? (Doc ID 956465.1)

Last updated on JUNE 07, 2017

Applies to:

Oracle Adaptive Access Manager - Version 10.1.4.5.0 and later
Information in this document applies to any platform.

Symptoms

-- Problem Statement:
Summary
Xsite scripting issues with the following OAAM URLs

Actual Results
1. Cross-site scripting (reflected)

1.1. https://noctoarm1/oarm/listReportDeviceFreqLoginSummary.do [sortcolumn parameter]

1.2. https://noctoarm1/oarm/listReportLocationFreqLoginSummary.do [minCount parameter]

1.3. https://noctoarm1/oarm/listReportLocationInvalidLoginAttemptsSummary.do [minCount parameter]

1.4. https://noctoarm1/oarm/listReportLocationMultipleLoginFailureSummary.do [minCount parameter]

 1.5. https://noctoarm1/oarm/listReportLocationMultipleLoginSuccessSummary.do [minCount parameter]

1.6. https://noctoarm1/oarm/listReportLocationMultipleUsersSummary.do [minCount parameter]

1.7. https://noctoarm1/oarm/modelDetails.do [currentTab parameter]

1.8. https://noctoarm1/oarm/modelDetails.do [currentTab parameter]

1.9. https://noctoarm1/oarm/modelDetails.do [currentTab parameter]

-- Steps To Reproduce:
Run the BURP Penetration test for OARM GUI.

-- Business Impact:
Level of Security risk

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms