cbcvebase.
CVE-2019-2579
published 2019-04-23

CVE-2019-2579: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). The supported version that is affected is…

PriorityP431medium4.3CVSS 3.0
AVNACLPRLUINSUCLINAN
EXPLOIT
EPSS
5.08%
91.3th percentile
Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Affected

2 ranges
VendorProductVersion rangeFixed in
oraclewebcenter_sites
oracle_corporationwebcenter_sites

Detection & IOCsextracted from sources · hover to see the quote

url/cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences
url/cs/ContentServer
commandsearchText=%27+and+%271%27%3D%270+--
other_authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--
  • Detect exploitation attempt by matching the SQL injection payload in the POST body to /cs/ContentServer — look for the literal string "value='' and '1'='0 --" in the HTTP response body alongside 'Use this utility to view and manage URLs'.
  • The attack is a two-step sequence: first a GET to extract a valid _authkey_ token (regex: NAME='_authkey_' VALUE='([0-9A-Z]+)'>), then a POST with the SQLi payload using that token.
  • Monitor POST requests to /cs/ContentServer with Content-Type: application/x-www-form-urlencoded containing 'searchText' parameter with SQL injection patterns (e.g., single-quote followed by boolean logic and comment sequence).
  • ·Exploitation requires a low-privileged authenticated session; the attacker must first obtain a valid _authkey_ token via the GET request before the SQLi POST will succeed.
  • ·Only Oracle WebCenter Sites version 12.2.1.3.0 is confirmed affected; detections should be scoped to that version to reduce false positives.

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.