La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2025-30694 – Oracle XML DB 9i

CVE-2025-30694 – Oracle XML DB 9i

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') - CWE-79

Software Version: 9.2.0.6

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-30694

CVSS:

Severity:

Credits: Cristian Castrechini, Alberto Arganese, Federico Draghelli, Massimiliano Brolli

A Stored XSS vulnerability was discovered in the file upload feature.

 

Step-by-step instructions and PoC

An authenticated user can upload a file containing a malicious payload, which will be executed whenever the file is viewed in a browser by another user, due to improper input sanitization.

Affected Endpoints

•            URL: http://[HOST]:[PORT]

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

Figura 1 - Payload

Click To Enlarge

Figure 2 – Upload request with PUT verb and response

Click To Enlarge

Figure 3 – XSS executed in browser

Click To Enlarge

Security Impact

This vulnerability allows an authenticated attacker to execute arbitrary JavaScript code on other users, leading to potential session hijacking, data exfiltration, or execution of actions on behalf of affected users.