Full Report
In November 2023, while conducting a security assessment on a client’s instance of the Oracle Integration Cloud Platform, I discovered a medium severity vulnerability nestled within the handling of the “consumer_url” URL parameter. This flaw unveiled a Cross-Site Scripting (XSS) vector that could be exploited by a user with malicious intent. This vulnerability was disclosed […] The post Cross-site scripting vulnerability found in Oracle Integration Cloud appeared first on Outpost24.
Analysis Summary
# Vulnerability: Stored/Reflected Cross-Site Scripting (XSS) in Oracle Integration Cloud Platform
## CVE Details
- CVE ID: Not explicitly provided in the text (Awaiting official assignment/disclosure alongside the patch)
- CVSS Score: Medium (Implied by the description, specific score not calculated)
- CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
## Affected Systems
- Products: Oracle Integration Cloud Platform (OIC)
- Versions: Not explicitly specified, but prior to the July 2024 Critical Patch Update.
- Configurations: Any OIC instance accessible to a user with the necessary role/access to trigger the injection point.
## Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability exists in Oracle Integration Cloud Platform due to improper handling of the `consumer_url` query parameter. While initial attempts to inject payloads were blocked by backend sanitization, a successful path was identified on the integration creation page (`/ic/integration/home/faces/link?page=integration&consumer_url=`). This allowed an attacker to inject arbitrary client-side scripts by using a known integration instance ID as context, bypassing the prior requirement for a specific, valid integration ID. The payload could trigger unexpectedly (e.g., upon closing an integration) or directly via the creation link.
## Exploitation
- Status: Proof of Concept (PoC) available (Internal testing confirmed exploitability).
- Complexity: Medium (Requires knowledge of the target OIC instance ID and the specific vulnerable endpoint structure).
- Attack Vector: Network
## Impact
- Confidentiality: Medium (Potential for session hijacking, cookie theft, or sensitive data exposure via client-side scripting).
- Integrity: High (Ability to modify the displayed content or interact with the platform on behalf of the user).
- Availability: Low (Primary impact is focused on user interaction/data theft rather than system downtime).
## Remediation
### Patches
- **Fixed in Oracle Critical Patch Update Advisory – July 2024 (Patched on 2024-07-16).**
* Organizations should apply all relevant security updates released in the July 2024 CPU.
### Workarounds
- Implement strict network controls to restrict access to the Oracle Integration Cloud Platform, particularly for unauthenticated or restricted users, if feasible.
- Review access controls to ensure only trusted users can initiate integration creation sequences.
## Detection
- **Indicators of Compromise (IOCs):** Monitoring web access and browser histories for requests containing unusual strings or script tags within the `consumer_url` parameter directed at OIC endpoints.
- **Detection Methods and Tools:**
* Web Application Firewalls (WAFs) configured to inspect query strings for common XSS payloads (`<script>`, `javascript:`, etc.) targeting OIC URLs.
* Security monitoring tools tracking unusual client-side errors or unexpected script executions originating from OIC domains.
## References
- Vendor Advisory: d e f a n g e d: //www.oracle.com/security-alerts/cpujul2024.html
- Researcher Disclosure Link: d e f a n g e d: //outpost24.com/policies/responsible-disclosure/