CVE-2020-14723: Stored XSS in Oracle Help Technologies

Stored Cross-Site Scripting in Oracle

Vulnerability in the Oracle Help Technologies product of Oracle Fusion Middleware (component: Web UIX). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Help Technologies.

CVE IDCVE-2020-14723

CVSS v3.18.2 High

VendorOracle

CWECWE-285

DisclosedJan 11, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack causes arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets the users and it uses your application as a vehicle for the attack.

*Affected Products: Oracle Help Technologies-UIX, Oracle Application Development Framework (ADF), Oracle’s Browser Look and Feel Plus (BLAF+), Oracle fusion middleware.

Vendor: Oracle
Affected Product: See Full List Below*
CVE: CVE-2020-14723
Securin ID: 2020-CSW-01-1037
Status: Fixed
Date: January 11, 2020
Severity: High
CVSS Score: 8.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-285

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

ScopeChanged

ImpactC:H / I:L / A:N

SeverityHigh

The following vulnerability was tested on Oracle Web content Management version 12.2.1.3.0.

PoC · Exploitation Steps▲ trigger

01Figure01: Help docs page in the Oracle Web content.02Figure 02: Navigate to any of the help topics shown above.03Figure 03: Inserting a simple payload & reflects in the response body without sanitization.04Figure 04: While triggering the print page event, the payload gets stored and assigned with the path URL. Whenever the user clicks the print page, the payload will be executed in the user browser.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Help Technologies accessible data as well as unauthorized update, insert or delete access to some of Oracle Help Technologies accessible data.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the relevant patches from the vendor:

https://www.oracle.com/security-alerts/cpujul2020.html

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14723, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 11, 2020

Reported to Vendor

Jan 12, 2020

Vendor Responded

Jun 19, 2020

CVE Assigned

Jul 14, 2020

Vendor Released Fixed

Disclosed 185 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14723

nvd.nist.gov/vuln/detail/CVE-2020-14723 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in Oracle

CVE IDCVE-2020-14723

CVSS v3.18.2 High

VendorOracle

CWECWE-285

DisclosedJan 11, 2020

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: Oracle Help Technologies-UIX, Oracle Application Development Framework (ADF), Oracle’s Browser Look and Feel Plus (BLAF+), Oracle fusion middleware.

Vendor: Oracle
Affected Product: See Full List Below*
CVE: CVE-2020-14723
Securin ID: 2020-CSW-01-1037
Status: Fixed
Date: January 11, 2020
Severity: High
CVSS Score: 8.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-285

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

ScopeChanged

ImpactC:H / I:L / A:N

SeverityHigh

The following vulnerability was tested on Oracle Web content Management version 12.2.1.3.0.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the relevant patches from the vendor:

https://www.oracle.com/security-alerts/cpujul2020.html

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14723, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 11, 2020

Reported to Vendor

Jan 12, 2020

Vendor Responded

Jun 19, 2020

CVE Assigned

Jul 14, 2020

Vendor Released Fixed

Disclosed 185 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14723

nvd.nist.gov/vuln/detail/CVE-2020-14723 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in Oracle

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Reported to Vendor

Vendor Responded

CVE Assigned

Vendor Released Fixed

Cite, verify, go deeper.

NVD — CVE-2020-14723

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in Oracle

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Reported to Vendor

Vendor Responded

CVE Assigned

Vendor Released Fixed

Cite, verify, go deeper.

NVD — CVE-2020-14723

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in Oracle

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Reported to Vendor

Vendor Responded

CVE Assigned

Vendor Released Fixed

Cite, verify, go deeper.

NVD — CVE-2020-14723

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in Oracle

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Reported to Vendor

Vendor Responded

CVE Assigned

Vendor Released Fixed

Cite, verify, go deeper.

NVD — CVE-2020-14723

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.