Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Name Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Systems Affected Oracle APEX/HTMLDB Severity Medium Risk Category Cross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html Details ####### The parameter NOTIFCATION_MSG parameter contains a cross site scripting vulnerability. Affected Products ################# Oracle APEX/HTMLDB < 2.2.1 Patch Information ################# This bug is fixed with the patch 2.2.1 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2.1. Patches are currently not available for Oracle Application Express. History ####### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ###################### An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
