cbcvebase.
CVE-2019-2578
published 2019-04-23

CVE-2019-2578: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). The supported version that is affected is…

PriorityP276high8.6CVSS 3.0
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
67.54%
99.2th percentile
Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 8.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Affected

2 ranges
VendorProductVersion rangeFixed in
oraclewebcenter_sites
oracle_corporationwebcenter_sites

Detection & IOCsextracted from sources · hover to see the quote

url/cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences
url/cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots
path/cs/Satellite
  • Probe unauthenticated GET requests to the two admin endpoints; a successful (non-redirect, non-403) response body matching the admin page content indicates the broken access control is exploitable.
  • The Nuclei template uses stop-at-first-match across both admin pagename paths, meaning either endpoint returning admin content confirms exploitation.
  • Detection targets Oracle WebCenter Sites version 12.2.1.3.0 specifically; scope scanning to hosts exposing the /cs/Satellite servlet.
  • The vulnerability is unauthenticated and reachable over HTTP with no special preconditions (AC:L, PR:N, UI:N), making it trivially scannable from the network.
  • ·The Nuclei template's regex matcher body is empty, meaning the detection rule as published does not have a defined match pattern and will not produce reliable results without a proper regex being supplied.
  • ·Only version 12.2.1.3.0 of Oracle WebCenter Sites is confirmed affected; scanning other versions may produce false positives.

CVSS provenance

nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.