CVE-2009-1968

Oracle Database 10.1.8.3 - Cross-Site Scripting via Secure Enterprise Search Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1968. PoCs published by Alexandr Polyakov.

AI-analyzed exploit summary The exploit demonstrates a cross-site scripting (XSS) vulnerability in Oracle Secure Enterprise Search by injecting a malicious script via the 'search_p_groups' parameter. The payload executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Description

Unspecified vulnerability in the Secure Enterprise Search component in Oracle Database 10.1.8.3 allows remote attackers to affect integrity via unknown vectors. NOTE: the previous information was obtained from the July 2009 CPU. Oracle has not commented on claims from an established researcher that this is cross-site scripting (XSS) via the search_p_groups parameter in search/query/search.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Alexandr Polyakov · textremotemultiple

https://www.exploit-db.com/exploits/33082

View Code ZIP pw:eip

The exploit demonstrates a cross-site scripting (XSS) vulnerability in Oracle Secure Enterprise Search by injecting a malicious script via the 'search_p_groups' parameter. The payload executes arbitrary JavaScript in the context of the affected site, potentially stealing cookies or performing other malicious actions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Oracle Secure Enterprise Search (component of Oracle Database)

No auth needed

Prerequisites: Access to the vulnerable Oracle Secure Enterprise Search endpoint

MITRE ATT&CK