1 Reply Latest reply on Jan 16, 2013 10:21 AM by Patrick Wolf-Oracle

    Classic date picker - XSS vulnerability?

    Tony Andrews
      We are not currently using the jQuery Date Picker items because of the accessibility bug documented in the APEX 4.2 Release Notes:

      <blockquote>The modern inline date pickers are not usable with screen readers or magnification due to focus not being set correctly. The data table is also missing a caption or summary text to describe the data in the table. Workaround for Custom Applications: Use the 'Classic Datepicker' which is coded to the standards. Workaround for Development Environment: Enter the date manually into the date input field. This issue is tracked with Oracle bug 9740473.</blockquote>

      So we have been using Date Picker (Classic). However, now a customer has had a penetration test performed by a third party and they have said that Date Picker (Classic) has an XSS vulnerability. The issue is that the URL for the date picker is exposed e.g.


      This URL can then be copied into another browser window and manipulated, e.g. changing the p_bgcolor or p_yyyy parameters.

      We don't know how, but the penetration tester has said that "this vulnerability could be used to steal cookies information and potentially user credentials".

      Can anyone please confirm that this is in fact a risk, and if so what can be done to remove it? (Or confirm that it is not a risk at all!)


        • 1. Re: Classic date picker - XSS vulnerability?
          Patrick Wolf-Oracle
          Hi Tony,

          if your customer thinks that they have found a vulnerability in an Oracle product we encourage them to report it as described at the following link


          My Blog: http://www.inside-oracle-apex.com
          APEX Plug-Ins: http://apex.oracle.com/plugins
          Twitter: http://www.twitter.com/patrickwolf