=======================================================

Yaniv Miron aka "Lament" Advisory Feb 27, 2010

Oracle Siebel 7.x CRM (7.7, 7.8 tested) Cross Site Scripting Vulnerability

=======================================================



=====================

I. BACKGROUND

=====================

Siebel Customer Relationship Management (CRM) Applications



The world's most complete customer relationship management (CRM) solution,

Oracle's Siebel CRM helps organizations differentiate their businesses to

achieve maximum top-and bottom-line growth. It delivers a combination of

transactional, analytical, and engagement features to manage all

customer-facing operations. With solutions tailored to more than 20 industries,

Siebel CRM delivers:

Comprehensive on premise and on demand CRM solutions.

Tailored industry solutions.

Role-based customer intelligence and pre-built integration.



http://www.oracle.com/us/products/applications/siebel/index.htm



=====================

II. DESCRIPTION

=====================



A malicious attacker may inject scripts into the Oracle Siebel CRM application.



=====================

III. ANALYSIS

=====================



Exploitation of this vulnerability results in the execution of arbitrary

code using a malicious link.



=====================

IV. EXPLOIT

=====================



http://example.com/htim_enu/start.swe/?>'"><script>alert('XSS by 
Lament')</script>



=====================

V. DISCLOSURE TIMELINE

=====================



Jan 2009 Vulnerability found

Jan 2009 Vendor Notification

Feb 2010 Public Disclosure



=====================

VI. CRETID

=====================



Yaniv Miron aka "Lament".

[email protected]

Reply via email to