CVE-2013-5877

Oracle Demantra Demand Management <12.2.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-5877. PoCs published by Portcullis, Oliver Gruskovnjak, including Metasploit module auxiliary/scanner/http/oracle_demantra_file_retrieval.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Oracle Demantra Spectrum's GraphServlet. It allows an attacker to read arbitrary files from the server, such as the web.xml configuration file, by manipulating the 'filename' parameter in a POST request.

Description

Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, and 12.2.1 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Portcullis · textwebappswindows
https://www.exploit-db.com/exploits/31992

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Oracle Demantra Spectrum's GraphServlet. It allows an attacker to read arbitrary files from the server, such as the web.xml configuration file, by manipulating the 'filename' parameter in a POST request.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle Demantra Spectrum
No auth needed
Prerequisites: Network access to the target server · Oracle Demantra Spectrum installed and running
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Oliver Gruskovnjak · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb

This Metasploit module exploits an authentication bypass (CVE-2013-5877) and arbitrary file retrieval vulnerability (CVE-2013-5880) in Oracle Demantra 12.2.1, allowing unauthenticated attackers to download arbitrary files from the system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle Demantra 12.2.1
No auth needed
Prerequisites: Network access to the target system · Oracle Demantra 12.2.1 running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/102094
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1029620
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/64831
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/56474
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/64758

Scores

EPSS 0.5497
EPSS Percentile 98.9%

Details

Status published
Products (5)
oracle/supply_chain_products_suite 7.2.0.3
oracle/supply_chain_products_suite_sql-server 7.3.0
oracle/supply_chain_products_suite_sql-server 7.3.1
oracle/supply_chain_products_suite_sql-server 12.2.0
oracle/supply_chain_products_suite_sql-server 12.2.1
Published Jan 15, 2014
Tracked Since Feb 18, 2026