XSS in Oracle EPMS

I was asked to help during the webapp pentest of Oracle EMPS. I decided to share one found XSS bug with you. Below you will find the details. Here we go...

This time we will start here:

"What is this?" you can ask. I strongly recommend you to check the "Help" ;)

I tried to search for help using Burp Suite as a proxy:

As you can see below - topic parameter is vulnerable to XSS. Response from webapp is presented on the screen below:

And this is the output of 'show response in browser':

Maybe you will find it useful. ;)

See you next time!

Cheers