Oracle HTTP Server versions 8.1.7, 9.0.1 and 9.2.0 contain a vulnerability that allows a remote attacker to perform cross-site scripting attacks.
The vulnerability is due to improper filtering of user-supplied data to certain parameters. An attacker could exploit this vulnerability by creating a malicious URL containing script code, and convincing a user to load it. This could allow the execution of scripts in the context of the site running on the affected server, possibly allowing the attacker to obtain sensitive user information, such as cookies or any data recently submitted to the site.
Exploit code is available.
Patches are unavailable.