PT-2006-7304 · Oracle · Oracle Portal

Published

2006-12-23

Updated

2018-10-17

CVE-2006-6703

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Oracle Portal versions 9i and 10g

Description: The issue allows remote attackers to inject arbitrary JavaScript code via the tc parameter in the "webapp/jsp/container tabs.jsp" API endpoint, and other unspecified vectors. This can lead to cross-site scripting (XSS) attacks.

Recommendations: For Oracle Portal version 9i, update to a version that includes the fix for this issue. For Oracle Portal version 10g, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "webapp/jsp/container tabs.jsp" endpoint to minimize the risk of exploitation. Avoid using the tc parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-6703

Affected Products

Oracle Portal

PT-2006-7304 · Oracle · Oracle Portal

CVE-2006-6703

Related Identifiers

Affected Products

References · 5