CVE-2018-19439

Name of the Vulnerable Software and Affected Versions Oracle Secure Global Desktop versions prior to 5.4

Description The issue exists due to inadequate protection of the web page structure in the administration console. This can allow a remote attacker to execute arbitrary code in the user's browser or gain access to confidential information. The Administration Console in Oracle Secure Global Desktop is affected, with a specific example of reflected XSS via all parameters in the helpwindow.jsp page, such as the windowTitle parameter in the /sgdadmin/faces/com sun web ui/help/helpwindow.jsp endpoint.

Recommendations For Oracle Secure Global Desktop versions prior to 5.4, update to version 5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the helpwindow.jsp page to minimize the risk of exploitation. Avoid using the vulnerable parameters, such as windowTitle, in the affected API endpoint until the issue is resolved.