PT-2012-49: Cross-Site Scripting in Oracle Siebel CRM Vulnerable softwareOracle Siebel CRM Version: 8.1.1, 8.2.2Link: http://www.oracle.com/us/products/applications/siebel/overview/index.htmlSeverity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVE: CVE-2013-1510Software descriptionOracle Siebel CRM is a customer relationship management application used to develop a complex corporate information system. Vulnerability descriptionThe specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in Oracle Siebel CRM.The application does not verify input data sent by users, therefore an attacker is able to inject arbitrary code into the page and get access to the session with victim’s privileges.How to fixUpdate your software up to the latest versionAdvisory status26.09.2012 - Vendor gets vulnerability details 16.04.2013 - Vendor releases fixed version and details 25.10.2013 - Public disclosureCreditsThe vulnerability was detected by Pavel Toporkov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-49 http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/