cbcvebase.
CVE-2019-2767
published 2019-07-23

CVE-2019-2767: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version…

PriorityP277high7.2CVSS 3.0
AVNACLPRNUINSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.24%
91.5th percentile
Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data as well as unauthorized read access to a subset of BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 7.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclebi_publisher
oracle_corporationbi_publisher
oracle_corporationbi_publisher
oracle_corporationbi_publisher

Detection & IOCsextracted from sources · hover to see the quote

url/xmlpserver/convert?xml=%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123
  • HTTP GET request to /xmlpserver/convert endpoint with URL-encoded XXE payload in the 'xml' parameter, combined with '_xf=Excel', '_xl=123', and 'template=123' query parameters — no authentication required
  • Successful exploitation confirmed via out-of-band HTTP interaction (OAST/interactsh); monitor for unexpected outbound HTTP callbacks originating from the BI Publisher server
  • Vulnerability is unauthenticated and exploitable over HTTP — no prior access or credentials needed; any unauthenticated request to /xmlpserver/convert with XML entity parameters should be treated as suspicious
  • ·Affected versions are strictly 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 — detection should be scoped to these versions of Oracle BI Publisher
  • ·The vulnerability resides in the BI Publisher Security subcomponent; attacks may have scope impact on additional products beyond BI Publisher itself

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.